Out Of Bounds Write in Feathersjs with Jwt Tokens
Out Of Bounds Write in Feathersjs with Jwt Tokens — how this specific combination creates or exposes the vulnerability
An Out Of Bounds Write occurs when application logic allows data to be written outside the intended memory or buffer boundaries. In FeathersJS, this typically manifests through unsafe mutation of request state, arrays, or buffers when handling authenticated requests that rely on JWT tokens for identity. The combination of FeathersJS hooks and JWT authentication can expose this vulnerability when authorization checks are incomplete or when decoded token payloads are used to directly index into arrays or buffers without validating bounds.
FeathersJS uses hooks to process requests, and if a hook decodes a JWT token to extract user identity (e.g., via context.params.token or a custom hook), it might then use claims like userId or index to access resources. If the application trusts these claims without verifying that the referenced index or identifier is within valid bounds, an attacker can supply an out-of-range value. For example, a token with { "index": 9999 } could be used to target an array that only holds 10 elements, leading to memory corruption or unintended data overwrites on the server side.
During black-box scanning, middleBrick tests for such scenarios by submitting authenticated requests with manipulated JWT payloads containing extreme numeric claims or oversized buffers. The scanner checks whether the application performs proper validation before using token-derived values to compute memory offsets or array indices. Without explicit bounds checking, the server may write data to invalid memory regions, potentially exposing sensitive information or causing instability. This risk is particularly relevant when FeathersJS services interact with native addons or shared buffers where unchecked writes can have immediate security implications.
Real-world attack patterns include exploiting OWASP API Top 10:2023 broken object level authorization (BOLA) when token claims are used to infer internal IDs, combined with missing input validation. For instance, an attacker might modify a JWT containing { "resourceIndex": 0 } to { "resourceIndex": 5000 } and observe whether the server performs an out-of-bounds write to a shared state object. middleBrick’s LLM/AI Security checks also test for prompt injection risks that could manipulate token generation, while the standard authentication and BOLA/IDOR checks validate whether token claims are safely bounded before use.
To detect this during a scan, middleBrick submits requests with malformed or extreme JWT payloads while monitoring server behavior. The tool does not fix the issue but provides findings with severity, guidance, and references to OWASP categories. Developers should ensure that any data derived from JWT claims—especially numeric indices or identifiers—is validated against known safe ranges before being used in memory operations or data structure access.
Jwt Tokens-Specific Remediation in Feathersjs — concrete code fixes
Remediation focuses on validating and sanitizing data extracted from JWT tokens before using it in any array, buffer, or memory operation. Always treat token claims as untrusted input. In FeathersJS, this is typically done within hooks or service logic before accessing resources.
Example of insecure code that uses a JWT claim directly to index an array:
// Insecure: using JWT claim without bounds check
app.service('resources').hooks({
before: {
async create(context) {
const userIndex = context.params.token.userIndex; // From JWT
const sharedBuffer = new Uint8Array(10);
sharedBuffer[userIndex] = 42; // Potential out-of-bounds write
return context;
}
}
});
Secure version with explicit validation:
// Secure: validate index against array bounds
app.service('resources').hooks({
before: {
async create(context) {
const userIndex = context.params.token.userIndex;
const MAX_RESOURCES = 10;
if (typeof userIndex !== 'number' || userIndex < 0 || userIndex >= MAX_RESOURCES) {
throw new Error('Invalid resource index');
}
const sharedBuffer = new Uint8Array(MAX_RESOURCES);
sharedBuffer[userIndex] = 42;
return context;
}
}
});
When using JWT tokens for object-level authorization, ensure that the claimed resource ID maps to a valid record in your data store rather than using it as a direct pointer. For array-like structures, always check length before assignment. middleBrick’s authentication and BOLA/IDOR checks will flag cases where token-derived identifiers are used without validation.
For applications using the feathers-authentication-jwt hooks, add a post-authentication hook to sanitize claims:
// Sanitize JWT claims after authentication
const sanitizeClaims = context => {
if (context.result && context.result.user) {
const safeUser = {
...context.result.user,
permittedIndex: Math.min(context.result.user.permittedIndex || 0, 99) // Cap value
};
context.result.user = safeUser;
}
return context;
};
app.hooks({
after: {
authenticate: [sanitizeClaims]
}
});
Additionally, avoid storing sensitive or index-related data directly in JWT payloads unless necessary, as tokens are base64-encoded and not encrypted by default. Use opaque identifiers and validate them server-side against a trusted data source. The middleBrick CLI can scan your service definitions to highlight areas where JWT-derived values are used in unsafe operations.
Finally, combine these practices with input validation libraries like ajv or joi to enforce strict schemas on decoded token payloads. This prevents malformed or extreme values from entering critical logic paths that could lead to out-of-bounds conditions.