http2: cap originSet size to prevent unbounded memory growth

mcollina · aduh95 · commit 87d847bc708c · 2026-06-17T18:51:19.000+02:00
A malicious HTTP/2 server can send repeated ORIGIN frames with unique origins, causing unbounded growth of the client-side originSet for the lifetime of the session. Cap the set at 128 entries; once full, new origins from ORIGIN frames are silently dropped. Refs: https://hackerone.com/reports/3676863 PR-URL: nodejs-private/node-private#855 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48619
diff --git a/doc/api/errors.md b/doc/api/errors.md
@@ -1756,6 +1756,17 @@ added: v15.14.0
 The limit of acceptable invalid HTTP/2 protocol frames sent by the peer,
 as specified through the `maxSessionInvalidFrames` option, has been exceeded.
 
+<a id="ERR_HTTP2_TOO_MANY_ORIGINS"></a>
+
+### `ERR_HTTP2_TOO_MANY_ORIGINS`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+The number of uniq origin sent by the server has exceeded the value defined in
+`options.maxOriginSetSize`.
+
 <a id="ERR_HTTP2_TRAILERS_ALREADY_SENT"></a>
 
 ### `ERR_HTTP2_TRAILERS_ALREADY_SENT`
diff --git a/doc/api/http2.md b/doc/api/http2.md
@@ -3274,6 +3274,8 @@ changes:
     This is similar to [`server.maxHeadersCount`][] or
     [`request.maxHeadersCount`][] in the `node:http` module. The minimum value
     is `1`. **Default:** `128`.
+  * `maxOriginSetSize` {number} Sets the maximum number of uniq origin the sever
+    can send via ORIGIN frames. **Default:** `128`.
   * `maxOutstandingPings` {number} Sets the maximum number of outstanding,
     unacknowledged pings. **Default:** `10`.
   * `maxReservedRemoteStreams` {number} Sets the maximum number of reserved push
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
@@ -1336,6 +1336,8 @@ E('ERR_HTTP2_STREAM_SELF_DEPENDENCY',
 E('ERR_HTTP2_TOO_MANY_CUSTOM_SETTINGS',
   'Number of custom settings exceeds MAX_ADDITIONAL_SETTINGS', Error);
 E('ERR_HTTP2_TOO_MANY_INVALID_FRAMES', 'Too many invalid HTTP/2 frames', Error);
+E('ERR_HTTP2_TOO_MANY_ORIGINS',
+  'The server sent more ORIGIN frames than the allowed number of %s', Error);
 E('ERR_HTTP2_TRAILERS_ALREADY_SENT',
   'Trailing headers have already been sent', Error);
 E('ERR_HTTP2_TRAILERS_NOT_READY',
diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
@@ -102,6 +102,7 @@ const {
     ERR_HTTP2_STREAM_ERROR,
     ERR_HTTP2_STREAM_SELF_DEPENDENCY,
     ERR_HTTP2_TOO_MANY_CUSTOM_SETTINGS,
+    ERR_HTTP2_TOO_MANY_ORIGINS,
     ERR_HTTP2_TRAILERS_ALREADY_SENT,
     ERR_HTTP2_TRAILERS_NOT_READY,
     ERR_HTTP2_UNSUPPORTED_PROTOCOL,
@@ -255,6 +256,7 @@ const kInit = Symbol('init');
 const kInfoHeaders = Symbol('sent-info-headers');
 const kLocalSettings = Symbol('local-settings');
 const kNativeFields = Symbol('kNativeFields');
+const kMaxOriginSetSize = Symbol('max-ORIGIN-set-size');
 const kOptions = Symbol('options');
 const kOwner = owner_symbol;
 const kOrigin = Symbol('origin');
@@ -723,8 +725,13 @@ function onOrigin(origins) {
   if (!session.encrypted || session.destroyed)
     return undefined;
   const originSet = initOriginSet(session);
-  for (let n = 0; n < origins.length; n++)
+  for (let n = 0; n < origins.length; n++) {
+    if (originSet.size >= session[kMaxOriginSetSize]) {
+      session.destroy(new ERR_HTTP2_TOO_MANY_ORIGINS(session[kMaxOriginSetSize]));
+      return;
+    }
     originSet.add(origins[n]);
+  }
   session.emit('origin', origins);
 }
 
@@ -3591,6 +3598,13 @@ function connect(authority, options, listener) {
   assertIsObject(options, 'options');
   options = { ...options };
 
+  let { maxOriginSetSize } = options;
+  if (maxOriginSetSize != null) {
+    validateNumber(maxOriginSetSize, 'options.maxOriginSetSize', 0);
+  } else {
+    maxOriginSetSize = 128;
+  }
+
   assertIsArray(options.remoteCustomSettings, 'options.remoteCustomSettings');
   if (options.remoteCustomSettings) {
     options.remoteCustomSettings = [ ...options.remoteCustomSettings ];
@@ -3646,6 +3660,7 @@ function connect(authority, options, listener) {
 
   session[kAuthority] = `${options.servername || host}:${port}`;
   session[kProtocol] = protocol;
+  session[kMaxOriginSetSize] = maxOriginSetSize;
 
   if (typeof listener === 'function')
     session.once('connect', listener);
diff --git a/test/parallel/test-http2-origin-set-max-size.mjs b/test/parallel/test-http2-origin-set-max-size.mjs
@@ -0,0 +1,110 @@
+import {
+  expectsError,
+  hasCrypto,
+  mustCall,
+  mustNotCall,
+  mustSucceed,
+  skip,
+} from '../common/index.mjs';
+import * as fixtures from '../common/fixtures.mjs';
+import assert from 'node:assert';
+
+if (!hasCrypto)
+  skip('missing crypto');
+
+const {
+  createSecureServer,
+  connect,
+} = await import('node:http2');
+
+const key = fixtures.readKey('agent8-key.pem', 'binary');
+const cert = fixtures.readKey('agent8-cert.pem', 'binary');
+const ca = fixtures.readKey('fake-startcom-root-cert.pem', 'binary');
+
+const server = createSecureServer({ key, cert });
+server.on('stream', (stream) => {
+  stream.respond();
+  stream.end('ok');
+});
+server.on('session', (session) => {
+  let i = 0;
+  const timer = setInterval(() => {
+    try {
+      session.origin(...Array.from({ length: 10 }, () => `https://o${i++}.example.com`));
+    } catch {
+      clearInterval(timer);
+    }
+  }, 10);
+
+  session.on('close', () => {
+    clearInterval(timer);
+  });
+});
+
+await new Promise((resolve) => server.listen(0, resolve));
+
+// Test fantasist values
+[Symbol(), '0', 1n, {}, [], true, false, /s/, () => {}].forEach((maxOriginSetSize) => {
+  assert.throws(
+    () => connect(`https://localhost:${server.address().port}`, { ca, maxOriginSetSize }),
+    { code: 'ERR_INVALID_ARG_TYPE' },
+  );
+});
+[NaN, -1].forEach((maxOriginSetSize) => {
+  assert.throws(
+    () => connect(`https://localhost:${server.address().port}`, { ca, maxOriginSetSize }),
+    { code: 'ERR_OUT_OF_RANGE' },
+  );
+});
+
+await new Promise((resolve) => server.getConnections(mustSucceed((count) => {
+  assert.strictEqual(count, 0);
+  resolve();
+})));
+
+// Test default value
+await new Promise((resolve) => {
+  const client = connect(`https://localhost:${server.address().port}`, { ca });
+
+  client.on('origin', mustCall(12)); // Default value is 128, the first 12 frames should pass, the 13th one should error
+  client.on('error', expectsError({
+    code: 'ERR_HTTP2_TOO_MANY_ORIGINS',
+  }));
+  client.on('goaway', mustNotCall());
+  client.on('close', resolve);
+
+  client.request().resume();
+});
+
+// Test non-default values
+await Promise.all([-0, 9, 1.5].map((maxOriginSetSize) => new Promise((resolve) => {
+  const client = connect(`https://localhost:${server.address().port}`, { ca, maxOriginSetSize });
+
+  client.on('origin', mustNotCall()); // The server send 10 origins on the first frame, that's already too many.
+  client.on('error', expectsError({
+    code: 'ERR_HTTP2_TOO_MANY_ORIGINS',
+  }));
+  client.on('goaway', mustNotCall());
+  client.on('close', resolve);
+
+  client.request().resume();
+})));
+
+
+// Test values higher than the default value
+await Promise.all([512, Infinity].map((maxOriginSetSize) => new Promise((resolve) => {
+  const client = connect(`https://localhost:${server.address().port}`, { ca, maxOriginSetSize });
+
+  client.on('origin', mustCall(() => {
+    if (client.originSet.length > 128) {
+      client.destroy();
+    }
+  }, 13));
+  client.on('error', mustNotCall());
+  client.on('goaway', mustNotCall());
+  client.on('close', resolve);
+
+  client.request().resume();
+})));
+
+server.close();
