oven-sh · Jarred-Sumner · May 24, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/packages/bun-usockets/src/crypto/openssl.c b/packages/bun-usockets/src/crypto/openssl.c
@@ -21,6 +21,7 @@
 #include "libusockets.h"
 #include <string.h>
 #include <stdatomic.h>
+#include <time.h>
 
 /* These are in sni_tree.cpp */
 void *sni_new();
@@ -799,7 +800,32 @@
 }
 
 static int ssl_renegotiate(struct us_socket_t *s) {
+  /* Server-forced renegotiation (HelloRequest -> SSL_ERROR_WANT_RENEGOTIATE).
+   * Enforce the per-context policy (default 3 per 600s, Node's
+   * CLIENT_RENEG_LIMIT/CLIENT_RENEG_WINDOW) before re-entering a full
+   * handshake — otherwise a malicious server can pin a core with
+   * back-to-back renegotiations. limit == 0 disables renegotiation; window
+   * == 0 means the per-connection counter never resets. Returning 0 makes
+   * the caller treat this as SSL_ERROR_SSL and close the connection. */
+  uint32_t limit, window;
+  us_reneg_policy(s_ssl(s), &limit, &window);
+  struct us_ssl_reneg_state_t *st = us_reneg_state(s_ssl(s));
   s->ssl_handshake_state = HANDSHAKE_RENEGOTIATION_PENDING;
+  if (!st) {
+    ssl_trigger_handshake(s, 0);
+    return 0;
+  }
+  uint64_t now_ms = (uint64_t)time(NULL) * 1000;
+  if (st->count == 0 ||
+      (window && now_ms - st->window_start_ms >= (uint64_t)window * 1000)) {
+    st->window_start_ms = now_ms;
+    st->count = 0;
+  }
+  if (st->count >= limit) {
+    ssl_trigger_handshake(s, 0);
+    return 0;
+  }
+  st->count++;
   if (!SSL_renegotiate(s_ssl(s))) {
     ssl_trigger_handshake(s, 0);
     return 0;

diff --git a/packages/bun-uws/src/HttpParser.h b/packages/bun-uws/src/HttpParser.h
@@ -955,7 +955,12 @@ namespace uWS
                     /* Go ahead and parse it (todo: better heuristics for emitting FIN to the app level) */
                     std::string_view dataToConsume(data, length);
                     for (auto chunk : uWS::ChunkIterator(&dataToConsume, &remainingStreamingBytes)) {
-                        dataHandler(user, chunk, chunk.length() == 0);
+                        void *returnedUser = dataHandler(user, chunk, chunk.length() == 0);
+                        if (returnedUser != user) {
+                            /* The data handler closed or shut down the socket; stop parsing
+                             * so we do not dispatch pipelined requests on a dead socket. */
+                            return HttpParserResult::success(consumedTotal, returnedUser);
+                        }
                     }
                     if (isParsingInvalidChunkedEncoding(remainingStreamingBytes)) [[unlikely]] {
                         // TODO: what happen if we already responded?
@@ -969,12 +974,16 @@ namespace uWS
             } else if (contentLengthStringLen) {
                 if constexpr (!ConsumeMinimally) {
                     unsigned int emittable = (unsigned int) std::min<uint64_t>(remainingStreamingBytes, length);
-                    dataHandler(user, std::string_view(data, emittable), emittable == remainingStreamingBytes);
+                    void *returnedUser = dataHandler(user, std::string_view(data, emittable), emittable == remainingStreamingBytes);
                     remainingStreamingBytes -= emittable;
 
                     data += emittable;
                     length -= emittable;
                     consumedTotal += emittable;
+
+                    if (returnedUser != user) {
+                        return HttpParserResult::success(consumedTotal, returnedUser);
+                    }
                 }
             } else if(isConnectRequest) {
                 // This only serves to mark that the connect request read all headers
@@ -986,7 +995,10 @@ namespace uWS
                 break;
             } else {
                 /* If we came here without a body; emit an empty data chunk to signal no data */
-                dataHandler(user, {}, true);
+                void *returnedUser = dataHandler(user, {}, true);
+                if (returnedUser != user) {
+                    return HttpParserResult::success(consumedTotal, returnedUser);
+                }
             }
 
             /* Consume minimally should break as easrly as possible */
@@ -1011,7 +1023,10 @@ namespace uWS
                  /* It's either chunked or with a content-length */
                 std::string_view dataToConsume(data, length);
                 for (auto chunk : uWS::ChunkIterator(&dataToConsume, &remainingStreamingBytes)) {
-                    dataHandler(user, chunk, chunk.length() == 0);
+                    void *returnedUser = dataHandler(user, chunk, chunk.length() == 0);
+                    if (returnedUser != user) {
+                        return HttpParserResult::success(0, returnedUser);
+                    }
                 }
                 if (isParsingInvalidChunkedEncoding(remainingStreamingBytes)) {
                     return HttpParserResult::error(HTTP_ERROR_400_BAD_REQUEST, HTTP_PARSER_ERROR_INVALID_CHUNKED_ENCODING);
@@ -1074,7 +1089,10 @@ namespace uWS
                         /* It's either chunked or with a content-length */
                         std::string_view dataToConsume(data, length);
                         for (auto chunk : uWS::ChunkIterator(&dataToConsume, &remainingStreamingBytes)) {
-                            dataHandler(user, chunk, chunk.length() == 0);
+                            void *returnedUser = dataHandler(user, chunk, chunk.length() == 0);
+                            if (returnedUser != user) {
+                                return HttpParserResult::success(0, returnedUser);
+                            }
                         }
                         if (isParsingInvalidChunkedEncoding(remainingStreamingBytes)) {
                             return HttpParserResult::error(HTTP_ERROR_400_BAD_REQUEST, HTTP_PARSER_ERROR_INVALID_CHUNKED_ENCODING);

diff --git a/packages/bun-uws/src/PerMessageDeflate.h b/packages/bun-uws/src/PerMessageDeflate.h
@@ -246,6 +246,9 @@ struct InflationStream {
 
         if (res == 0) {
             /* Fast path wins */
+            if (written > maxPayloadLength) {
+                return std::nullopt;
+            }
             return std::string_view(buf, written);
         }
 #endif

diff --git a/src/base64/lib.rs b/src/base64/lib.rs
@@ -327,7 +327,7 @@ pub mod vlq {
         let encoded_ = &encoded[start..][0..(encoded.len() - start).min(VLQ_MAX_IN_BYTES + 1)];
 
         // inlining helps for the 1 or 2 byte case, hurts a little for larger
-        for i in 0..(VLQ_MAX_IN_BYTES + 1) {
+        for i in 0..encoded_.len() {
             if ASSERT_VALID {
                 debug_assert!(encoded_[i] < U7_MAX); // invalid base64 character
             }

diff --git a/src/bun_core/string/HashedString.rs b/src/bun_core/string/HashedString.rs
@@ -43,7 +43,9 @@ impl HashedString {
     }
 
     pub fn eql_bytes(&self, other: &[u8]) -> bool {
-        (self.len as usize) == other.len() && (hash(other) as u32) == self.hash
+        (self.len as usize) == other.len()
+            && (hash(other) as u32) == self.hash
+            && self.str() == other
     }
 
     pub fn str(&self) -> &[u8] {

diff --git a/src/glob/matcher.rs b/src/glob/matcher.rs
@@ -397,7 +397,9 @@ fn glob_match_impl(
                         let pi = state.path_index as usize;
                         let gi = state.glob_index as usize;
                         let n = cc_len as usize;
-                        pi + n <= path.len() && path[pi..pi + n] == glob[gi..gi + n]
+                        pi + n <= path.len()
+                            && gi + n <= glob.len()
+                            && path[pi..pi + n] == glob[gi..gi + n]
                     } else {
                         path[state.path_index as usize] == cc
                     };

diff --git a/src/http/HTTPContext.rs b/src/http/HTTPContext.rs
@@ -772,10 +772,13 @@ impl<const SSL: bool> HTTPContext<SSL> {
                 continue;
             }
 
+            // The hash covers the Host-header SNI override that the handshake
+            // was verified against (see get_tls_hostname / connect()).
+            if socket.proxy_auth_hash != proxy_auth_hash {
+                continue;
+            }
+
             if want_tunnel {
-                if socket.proxy_auth_hash != proxy_auth_hash {
-                    continue;
-                }
                 if socket.target_port != target_port {
                     continue;
                 }
@@ -970,7 +973,13 @@ impl<const SSL: bool> HTTPContext<SSL> {
             } else {
                 0
             };
-            let proxy_auth_hash: u64 = if want_tunnel {
+            // For a direct TLS connection the handshake verifies the peer
+            // against get_tls_hostname() — which prefers the Host-header
+            // override (client.hostname) over url.hostname — so the override
+            // must discriminate the pool key there too, not just for CONNECT
+            // tunnels. proxy_auth_hash() reduces to exactly the override hash
+            // (or 0) for a non-proxied request.
+            let proxy_auth_hash: u64 = if want_tunnel || (SSL && client.http_proxy.is_none()) {
                 client.proxy_auth_hash()
             } else {
                 0

diff --git a/src/http/InternalState.rs b/src/http/InternalState.rs
@@ -62,6 +62,12 @@ pub struct InternalStateFlags {
     pub is_redirect_pending: bool,
     pub is_libdeflate_fast_path_disabled: bool,
     pub resend_request_body_on_redirect: bool,
+    /// Cross-origin redirect: the per-request Host override must be dropped so
+    /// the follow-up connection re-derives SNI/Host from the redirect target.
+    /// The actual clear is deferred to `do_redirect`, after the old socket's
+    /// pool/close decision — that decision needs `hostname` still set to know
+    /// the handshake was verified against an override.
+    pub clear_hostname_on_redirect: bool,
 }
 
 impl InternalStateFlags {
@@ -74,6 +80,7 @@ impl InternalStateFlags {
             is_redirect_pending: false,
             is_libdeflate_fast_path_disabled: false,
             resend_request_body_on_redirect: false,
+            clear_hostname_on_redirect: false,
         }
     }
 }

diff --git a/src/http/h2_client/dispatch.rs b/src/http/h2_client/dispatch.rs
@@ -619,7 +619,7 @@ pub fn decode_header_block(session: &mut ClientSession, stream: &mut Stream) {
         if stream.status_code != 0 || malformed {
             continue;
         }
-        if is_malformed_response_field(result.name) {
+        if is_malformed_response_field(result.name) || is_malformed_response_value(result.value) {
             malformed = true;
             continue;
         }
@@ -754,6 +754,14 @@ pub fn is_malformed_response_field(name: &[u8]) -> bool {
     )
 }
 
+/// RFC 9113 §8.2.1: a field value MUST NOT contain NUL (0x00), LF (0x0a), or
+/// CR (0x0d). HPACK is length-prefixed so these would otherwise pass through
+/// verbatim, breaking the no-CR/LF invariant the HTTP/1.1 parser provides and
+/// enabling header injection when values are forwarded downstream.
+pub fn is_malformed_response_value(value: &[u8]) -> bool {
+    value.iter().any(|&c| c == 0 || c == b'\r' || c == b'\n')
+}
+
 pub fn error_code_for(err: bun_core::Error) -> wire::ErrorCode {
     // PORT NOTE: bun_core::Error is a NonZeroU16 interned tag; `err!()` yields
     // a const Error per name once the link-time table lands. Until then all