You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default Node.js will listen for SIGUSR1 and start its internal inspector when it is received. This creates a security risk on production systems as the inspector interface could be used to eavesdrop on RPC intractions, for example, and execute arbitrary code in general.
For example in our infrastructure we use a PM2 module to listen for apps starting/restarting and send them their 'secrets' (API/signing keys etc) through sendLineToStdin(). However if a bad actor would manage to get access to the system they could send SIGUSR1 to the PM2 God process, attach a debugger and set some breakpoints to intercept these transactions and therefore steal the secrets.
Uh oh!
There was an error while loading. Please reload this page.
By default Node.js will listen for SIGUSR1 and start its internal inspector when it is received. This creates a security risk on production systems as the inspector interface could be used to eavesdrop on RPC intractions, for example, and execute arbitrary code in general.
For example in our infrastructure we use a PM2 module to listen for apps starting/restarting and send them their 'secrets' (API/signing keys etc) through
sendLineToStdin(). However if a bad actor would manage to get access to the system they could send SIGUSR1 to the PM2 God process, attach a debugger and set some breakpoints to intercept these transactions and therefore steal the secrets.This can easily be prevented by registering a no-op handler for SIGUSR1, as is recommended in the Security best practices provided by the Node.js team: https://nodejs.org/en/learn/getting-started/security-best-practices.
The text was updated successfully, but these errors were encountered: