Summary
Server crashes when extraParams is {} but code accesses msg.extraParams.session without checking.
Affected Code
server-game/start-game.js:84
msg.extraParams = JSON.parse(msg.extraParamsRaw);
if (msg.extraParams.session) msg.session = msg.extraParams.session; // CRASH if extraParams is {}Vulnerability
If JSON.parse succeeds but returns an empty object or an object without session, the access is safe. However, if parsing fails and catches to msg.extraParams = {}, or if a user sends valid JSON without these fields, no crash occurs here. But if extraParams is explicitly set to null in JSON, then msg.extraParams.session crashes.
Impact
- Remote server crash with crafted payload
- Denial of service
Proof of Concept
{"cmd":1,"extraParamsRaw":"null"}Then code does msg.extraParams = JSON.parse('null') → msg.extraParams = null
Then if (msg.extraParams.session) → TypeError: Cannot read property 'session' of null
Recommended Fix
if (msg.extraParams?.session) msg.session = msg.extraParams.session;
if (msg.extraParams?.customMinMap) msg.joinType = Comm.Code.createPrivateGame;
References
Summary
Server crashes when
extraParamsis{}but code accessesmsg.extraParams.sessionwithout checking.Affected Code
server-game/start-game.js:84Vulnerability
If JSON.parse succeeds but returns an empty object or an object without
session, the access is safe. However, if parsing fails and catches tomsg.extraParams = {}, or if a user sends valid JSON without these fields, no crash occurs here. But if extraParams is explicitly set tonullin JSON, thenmsg.extraParams.sessioncrashes.Impact
Proof of Concept
{"cmd":1,"extraParamsRaw":"null"}Then code does
msg.extraParams = JSON.parse('null')→msg.extraParams = nullThen
if (msg.extraParams.session)→ TypeError: Cannot read property 'session' of nullRecommended Fix
References