Due to CVE-2023-48230 in Cap'n Proto (a library used by workerd), a remote client may be able to induce workerd to crash. Based on the details of the bug, we do not believe remote code execution can be achieved through this vulnerability, although we cannot completely rule it out.
The bug only affects Workers which accept WebSocket connections and process the messages in JavaScript or forward them to Durable Objects. (Workers that proxy WebSocket connections through to an origin server, without inspecting individual messages, are not affected.) Additionally, the WebSocket compression feature must be enabled. This feature is enabled by default for workers with a compatibility date on or after 2023-08-15, or which have enabled the websocket-compression compatibility flag.
This bug was discovered internally by the Cloudflare Workers team. Our production service is already patched and we do not believe it was ever exploited.
Patches
git commit: 70b60d0b40110a18e74d5a49f7db83afd50fd832
workerd release: v1.20231121.0
Due to CVE-2023-48230 in Cap'n Proto (a library used by
workerd), a remote client may be able to induceworkerdto crash. Based on the details of the bug, we do not believe remote code execution can be achieved through this vulnerability, although we cannot completely rule it out.The bug only affects Workers which accept WebSocket connections and process the messages in JavaScript or forward them to Durable Objects. (Workers that proxy WebSocket connections through to an origin server, without inspecting individual messages, are not affected.) Additionally, the WebSocket compression feature must be enabled. This feature is enabled by default for workers with a compatibility date on or after
2023-08-15, or which have enabled thewebsocket-compressioncompatibility flag.This bug was discovered internally by the Cloudflare Workers team. Our production service is already patched and we do not believe it was ever exploited.
Patches
git commit: 70b60d0b40110a18e74d5a49f7db83afd50fd832
workerd release: v1.20231121.0