Heap Overflow in Adonisjs with Mutual Tls

A heap overflow in AdonisJS when Mutual TLS (mTLS) is enabled arises from unchecked input handling in TLS-terminated request pipelines. When mTLS is active, the server performs client certificate validation and terminates TLS at the application boundary. If AdonisJS or its underlying parser processes oversized or malformed handshake data—such as client certificate fields, headers, or payloads—before validating size constraints, it can allocate insufficient heap buffers. Subsequent writes beyond allocated boundaries corrupt adjacent memory, leading to crashes or potential code execution. This combination is notable because mTLS increases the size and complexity of inbound data (certificates, chains, and metadata) that traverses the same parsing logic used for regular HTTP traffic, expanding the attack surface compared to TLS-only setups.

Specifically, the risk is not in TLS itself but in how AdonisJS integrates with the Node.js runtime’s stream and parser layers when mTLS is enforced. For example, large Subject Alternative Names (SANs) or deeply nested certificate chains can buffer excessively if the application reads them into fixed-size heap structures without proper length checks. The unauthenticated attack surface tested by middleBrick—where no client certificates are required for initial probing—can still trigger parsing routines that expose these overflow conditions when mTLS is misconfigured to accept oversized or untrusted inputs. Real-world patterns include missing checks on header sizes or certificate payloads that map to C++ add-on behavior in native modules, which can manifest as segmentation faults detectable in crash logs. These issues align with OWASP API Top 10 categories such as Security Misconfiguration and Excessive Data Exposure, and they may map to CVEs affecting underlying dependencies when heap corruption is feasible.

middleBrick’s 12 security checks run in parallel against the unauthenticated endpoint, including Input Validation and Unsafe Consumption, to detect anomalies that could indicate heap corruption risks under mTLS. The scanner does not require client certificates to identify misconfigurations that allow oversized or malformed TLS metadata to reach application code. By correlating spec definitions from OpenAPI/Swagger (with full $ref resolution) against runtime behavior, middleBrick can highlight mismatches where expected size limits are absent, providing findings with severity and remediation guidance. This is particularly relevant for compliance frameworks like PCI-DSS and SOC2, where control over data integrity and error handling is mandated.

To mitigate heap overflow risks in AdonisJS with mTLS, apply strict size limits and validation at the TLS and HTTP layer. Below are concrete, working examples that configure mTLS and sanitize inputs to reduce exposure.

Mutual TLS setup in AdonisJS

Ensure your server enforces certificate validation and rejects oversized or malformed data early. Use AdonisJS hooks or middleware to inspect headers and payload sizes before they reach route handlers.

// start/server.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { schema } from '@ioc:Adonis/Core/Validator'

// Middleware to enforce size limits and validate client certificates
export const validateMTLS = async (ctx: HttpContextContract, next: () => Promise) => {
  const MAX_HEADER_SIZE = 8 * 1024 // 8 KB
  const MAX_PAYLOAD_SIZE = 64 * 1024 // 64 KB

  // Reject requests with oversized headers
  for (const [key, value] of Object.entries(ctx.request.headers())) {
    if (Buffer.byteLength(value, 'utf8') > MAX_HEADER_SIZE) {
      ctx.response.badRequest({ error: 'Header size limit exceeded' })
      return
    }
  }

  // Reject requests with oversized payloads
  if (ctx.request.bodySize && ctx.request.bodySize > MAX_PAYLOAD_SIZE) {
    ctx.response.badRequest({ error: 'Payload size limit exceeded' })
    return
  }

  // Ensure client certificate is present and valid (handled by TLS layer, but app can assert)
  const clientCert = ctx.request.sslClientCert
  if (!clientCert || !clientCert.subject) {
    ctx.response.unauthorized({ error: 'Client certificate required' })
    return
  }

  await next()
}

// Apply globally in start/hooks.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
Server.use([(ctx) => validateMTLS(ctx, async () => {})])

In start/server.ts, configure the HTTPS server with strict options to limit accepted certificate sizes and reject weak ciphers:

// start/server.ts
import { Server } from '@poppinss/dev-utils'

Server.useSSL({
  key: '/path/to/server-key.pem',
  cert: '/path/to/server-cert.pem',
  ca: '/path/to/ca-bundle.pem',
  requestCert: true,
  rejectUnauthorized: true,
  maxHeaderSize: 8192, // Node.js TLS max header size enforcement
  honorCipherOrder: true,
  ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
})

const server = require('adonisjs/fold')(() => {})
server.boot()

For input validation, use AdonisJS schema rules to cap string and buffer sizes in request bodies:

// validation/UserValidator.ts
import { schema } from '@ioc:Adonis/Core/Validator'

export const userSchema = schema.create({
  username: schema.string({}, [schema.maxLength(64)]),
  metadata: schema.optional(
    schema.object({}).anyMembers([
      schema.string.optional({}, [schema.maxLength(256)]),
    ])
  ),
})

These measures align with OWASP API Top 10 controls for Security Misconfiguration and help ensure that heap allocations remain bounded. middleBrick’s Pro plan supports continuous monitoring for such configurations with GitHub Action integration, which can fail builds if risk scores exceed your threshold, and the MCP Server lets you scan APIs directly from your IDE for early detection.