HeadlinesBriefing favicon HeadlinesBriefing.com

Tailscale Serve/Funnel CPU DoS Fixed in 1.98.9

Hacker News •
×

A single malformed HTTP request to a node running Tailscale Serve or Tailscale Funnel could pin a CPU core indefinitely, causing denial of service. When resolving the handler for a request, Tailscale walked the request path upward one directory at a time, expecting the walk to terminate at the root path /. For requests whose path did not begin with /, this walk never reached / and never matched a mount point, causing the loop to spin forever. As the server enforced no request timeout, nothing interrupted the spin, and the goroutine held one core at 100% for the life of the process.

Tailscale now terminates the path walk for non-absolute paths, returning no handler and closing the request. This vulnerability is fixed in Tailscale version 1.98.9 or newer. An attacker could send a crafted HTTP request to permanently consume one CPU core on the target node. For Tailscale Serve, the request could originate from any peer on the tailnet with access to the node. For Tailscale Funnel, the request could originate from any unauthenticated host on the internet.

Nodes running Tailscale Serve or Tailscale Funnel on versions prior to 1.98.9 were affected. Users should upgrade to Tailscale version 1.98.9 or newer. Credits to Anthropic and Ada Logics for reporting this issue.