Skip to content

[npm] supergateway: Unbounded HTTP Body in SSE Mode (CWE-770) #7291

Open
Open
[npm] supergateway: Unbounded HTTP Body in SSE Mode (CWE-770)#7291
@razashariff

Description

@razashariff
razashariff
opened on Apr 3, 2026

Package

  • Name: supergateway
  • Ecosystem: npm
  • Affected versions: <= 3.4.3
  • Weekly downloads: ~107,000

Vulnerability

CWE-770: Allocation of Resources Without Limits or Throttling

In SSE transport mode, supergateway explicitly skips body-parser for /message endpoint (stdioToSse.ts:91-93), leaving no body size limit. Attacker sends arbitrarily large POST bodies → unbounded memory allocation → OOM → DoS.

Validated 5/5 trials, 100% reproducibility. Server accepted 50MB payloads without 413 rejection.

CVSS

7.5 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit

Raza Sharif, CyberSecAI Ltd

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions