s2-streamstore/s2-sdk-typescript

v@s2-dev/[email protected] Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 10h MCP Data & Storage

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

durable durable-streams real-time streaming streamstore typescript

+1 more

write-ahead-log

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 8h

The release caps the declared frame size in FrameAssembler to prevent OOM from untrusted _frame_bytes.

Why it matters: Severity 90 triggers immediate mitigation for SREs and security engineers handling FrameAssembler or DeserializingReadSession surfaces.

Summary

AI summary

Fixes OOM vulnerability by capping declared frame size in FrameAssembler.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Caps declared frame size to prevent reader OOM from untrusted _frame_bytes Caps declared frame size to prevent reader OOM from untrusted _frame_bytes Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

Patch Changes

98fa90c: fix: cap declared frame size to prevent reader OOM from untrusted _frame_bytes (#230)

FrameAssembler allocated its reassembly buffer directly from the attacker-controlled
_frame_bytes header, so a tiny record declaring a huge frame could force a reader to
eagerly allocate that much memory. Frames whose declared size is non-positive or exceeds
maxFrameBytes (default 100 MiB) are now dropped before allocating. The limit is
configurable via FrameAssembler's constructor and DeserializingReadSession's
maxFrameBytes option.

Security Fixes

Fix: cap declared frame size to prevent reader OOM from untrusted _frame_bytes (#230)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track s2-streamstore/s2-sdk-typescript

Get notified when new releases ship.

About s2-streamstore/s2-sdk-typescript

Official MCP server for the S2.dev serverless stream platform.

All releases →

Related context

Related tools

Earlier breaking changes

v@s2-dev/[email protected] Removes generated API.BasinScope as spec no longer defines it.
v@s2-dev/[email protected] Removes root export BasinScope; introduces LocationName instead.
v@s2-dev/[email protected] Replaces BasinInfo.scope with location field.
v@s2-dev/[email protected] Replaces EnsureBasinInput.scope with location field.
v@s2-dev/[email protected] Replaces CreateBasinInput.scope with location field.