Meteor developers should be aware of a recently discovered security vulnerability. Please read this disclosure for full details and consult the Resolution section for the appropriate fix.
A remotely-executable Denial-of-Service (DoS) attack has been discovered which affects applications utilizing Meteor Application Performance Monitoring (“APM”; formerly “Kadira”) through use of the
mdg:meteor-apm-agent package or any similar “agent” package based on the original
meteorhacks:kadira package, which transmit performance metrics to Galaxy Meteor APM, NodeChef Meteor APM, and similar services.
This vulnerability has been patched in the
mdg:meteor-apm-agent package, which is maintained by Meteor Development Group, however packages maintained by other parties may need to patched. Please see the Resolution section below for an update which will prevent the attack.
While a default Meteor configuration using Meteor’s core packages is not automatically vulnerable, the attack becomes possible when certain Meteor packages are installed. Such packages include, but are not limited to:
- Any package based on the
meteorhacks:kadirapackage. Known public forks of that package are listed on the package’s GitHub page, located at https://github.com/meteorhacks/kadira/network/members.
When a vulnerable version of an affected package is installed (whether or not it is configured), the attack payload can be delivered remotely. After the payload has been delivered, the application is likely to become unresponsive and will need to be restarted.
Objects might receive additional properties which would not normally have been present. These properties include:
wait. Assertions or logic not expecting these additional object properties may raise errors or cause unpredictable behavior, including pollution of data and loss of APM data.
If an application does not use an affected package, we have no evidence the attack is possible.
Any application using an affected package should update to a patched version. Two of the most common packages have already had the vulnerability patched, and their update instructions are included here for convenience.
The vulnerability has been fixed in version 3.1.1 of the
mdg:meteor-apm-agent package. The command to update and patch the vulnerability is:
meteor update mdg:meteor-apm-agent
We were not able to coordinate publishing of a patched version of the
meteorhacks:kadira package with the package owner. Therefore, due to the popularity of this package, and with the best interest of the Meteor community in mind, Meteor Development Group has decided to publish a patched version of the
meteorhacks:kadira package, without relying on the package author to do so.
Because of this action, the vulnerability has been fixed in version 2.30.4 of the
meteorhacks:kadira package. The command to update and patch the vulnerability is:
meteor update meteorhacks:kadira
To review the changes we published, please consult the pull-request we submitted to the
meteorhacks:kadira GitHub repository, which can be seen here.
Applications using other APM “agent” packages
Application developers should confirm that the package they are using has received the appropriate patch and update to the patched version of that package by using:
meteor update <package-name>
Maintainers of APM “agent” packages
Any package which was forked from
meteorhacks:kadira should be patched. Maintainers of such packages should review the pull-request we submitted to the
meteorhacks:kadira GitHub repository, which can be found here.
The changes supplied in that pull-request should be applied to the package source of the forked package, and the patched package should be republished using
meteor publish. Once republished, any application using the package should be updated to the newly published version, using the above command.
After running the appropriate
meteor update command, developers should verify that the latest version of the affected package was installed, either by examining the output of the command or by inspecting the application’s
Meteor believes in responsible disclosure of security vulnerabilities. We respect the hard work of security researchers who privately notify us with vulnerability details and appreciate the time they provide us time to address and resolve vulnerabilities prior to disclosing them publicly.
Credit for the discovery of this vulnerability goes to Adam Baldwin from Lift Security and Juho Hietala from Pacific Reach Advisors, Inc., who reported this issue to Meteor.
Please contact email@example.com to report a vulnerability in Meteor.
We’ll be actively monitoring this thread. Please keep your responses on-topic and helpful.