oven-sh · Jarred-Sumner · May 22, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
diff --git a/packages/bun-uws/src/Http3Context.h b/packages/bun-uws/src/Http3Context.h
@@ -26,6 +26,12 @@ struct Http3Context {
             Http3ContextData *cd = (Http3ContextData *) us_quic_socket_context_ext(us_quic_stream_context(s));
             Http3Response *res = (Http3Response *) s;
             Http3ResponseData *rd = res->getHttpResponseData();
+            /* lsquic re-fires on_stream_headers for every HEADERS block on
+             * the stream; only the first one is the request. Re-running
+             * reset()/route() for trailers would wipe the live response's
+             * onAborted/userData and dispatch the handler a second time.
+             * state is 0 only before the first reset() on this stream. */
+            if (rd->state != 0) return;
             rd->reset();
 
             Http3Request req(s);

diff --git a/packages/bun-uws/src/HttpParser.h b/packages/bun-uws/src/HttpParser.h
@@ -570,8 +570,9 @@ namespace uWS
             }
 
 
-            bool isHTTPMethod = (__builtin_expect(data[1] == '/', 1));
-            bool isConnect = !isHTTPMethod && ((data - start) == 7 && memcmp(start, "CONNECT", 7) == 0);
+            /* RFC 9112 3: exactly one SP separates method and request-target */
+            bool isHTTPMethod = (__builtin_expect(data[0] == 32 && data[1] == '/', 1));
+            bool isConnect = !isHTTPMethod && ((data - start) == 7 && data[0] == 32 && memcmp(start, "CONNECT", 7) == 0);
             /* Also accept proxy-style absolute URLs (http://... or https://...) as valid request targets */
             bool isProxyStyleURL = !isHTTPMethod && !isConnect && data[0] == 32 && isHTTPorHTTPSPrefixForProxies(data + 1, end) == 1;
             if (isHTTPMethod || isConnect || isProxyStyleURL) [[likely]] {

diff --git a/src/ast/e.rs b/src/ast/e.rs
@@ -618,7 +618,7 @@
    pub ref_: Ref,
 }

 /// In development mode, the new JSX transform has a few special props
 /// - `React.jsxDEV(type, arguments, key, isStaticChildren, source, self)`
 /// - `arguments`:
 ///      ```{ ...props, children: children, }```
@@ -902,17 +902,22 @@
 }
 impl Rope {
     pub fn append(&mut self, expr: Expr, bump: &Bump) -> Result<*mut Rope, AllocError> {
-        if let Some(mut next) = core::ptr::NonNull::new(self.next).map(StoreRef::from_non_null) {
-            // Arena-allocated Rope nodes are uniquely owned by the chain at this
-            // point in TOML parsing; route through `StoreRef::DerefMut` (the
-            // arena-backed handle whose deref is centralised in `nodes.rs`).
-            return next.append(expr, bump);
+        // Walk to the tail iteratively: recursing once per node overflows the
+        // native stack on adversarially deep ropes (e.g. an `.npmrc` section
+        // header with thousands of dot-separated segments).
+        //
+        // Arena-allocated Rope nodes are uniquely owned by the chain at this
+        // point; route through `StoreRef::DerefMut` (the arena-backed handle
+        // whose deref is centralised in `nodes.rs`).
+        let mut tail = StoreRef::from_bump(self);
+        while let Some(next) = core::ptr::NonNull::new(tail.next).map(StoreRef::from_non_null) {
+            tail = next;
         }
         let rope: *mut Rope = bump.alloc(Rope {
             head: expr,
             next: core::ptr::null_mut(),
         });
-        self.next = rope;
+        tail.next = rope;
         Ok(rope)
     }
 

diff --git a/src/base64/lib.rs b/src/base64/lib.rs
@@ -303,8 +303,8 @@ pub mod vlq {
     const U7_MAX: u8 = 127;
 
     // base64 stores values up to 7 bits
-    const BASE64_LUT: [u8; U7_MAX as usize] = {
-        let mut bytes = [U7_MAX; U7_MAX as usize];
+    const BASE64_LUT: [u8; U7_MAX as usize + 1] = {
+        let mut bytes = [U7_MAX; U7_MAX as usize + 1];
         let mut i = 0;
         while i < BASE64.len() {
             bytes[BASE64[i] as usize] = i as u8;

diff --git a/src/brotli/lib.rs b/src/brotli/lib.rs
@@ -59,6 +59,9 @@ pub struct BrotliReaderArrayList<'a> {
     pub state: ReaderState,
     pub total_out: usize,
     pub total_in: usize,
+    /// Decompression-bomb guard: `read_all` errors instead of growing the
+    /// output past this many bytes. Defaults to unbounded.
+    pub max_output_size: usize,
     pub flush_op: c::BrotliEncoderOperation,
     pub finish_flush_op: c::BrotliEncoderOperation,
     pub full_flush_op: c::BrotliEncoderOperation,
@@ -152,6 +155,7 @@ impl<'a> BrotliReaderArrayList<'a> {
             state: ReaderState::Uninitialized,
             total_out: 0,
             total_in: 0,
+            max_output_size: usize::MAX,
             flush_op,
             finish_flush_op,
             full_flush_op,
@@ -204,6 +208,13 @@ impl<'a> BrotliReaderArrayList<'a> {
             unsafe { bun_core::vec::commit_spare(self.list_ptr, bytes_written) };
             self.total_in += bytes_read;
 
+            // Enforce the cap after every write so a chunk that ends the
+            // stream (`success`) cannot push the output past the limit.
+            if self.list_ptr.len() > self.max_output_size {
+                self.state = ReaderState::Error;
+                return Err(err!("BrotliDecompressionError"));
+            }
+
             match result {
                 c::BrotliDecoderResult::success => {
                     debug_assert!(BrotliDecoder::is_finished(self.brotli()));
@@ -237,6 +248,10 @@ impl<'a> BrotliReaderArrayList<'a> {
                     return Err(err!("ShortRead"));
                 }
                 c::BrotliDecoderResult::needs_more_output => {
+                    if self.list_ptr.len() >= self.max_output_size {
+                        self.state = ReaderState::Error;
+                        return Err(err!("BrotliDecompressionError"));
+                    }
                     let target = self.list_ptr.capacity() + 4096;
                     self.list_ptr
                         .reserve(target.saturating_sub(self.list_ptr.len()));

diff --git a/src/bun_core/util.rs b/src/bun_core/util.rs
@@ -5786,21 +5786,53 @@ pub mod form_data {
 
     /// `FormData.getBoundary` — borrow the `boundary=` value out of a
     /// `Content-Type` header. Returns `None` on malformed quoting.
+    ///
+    /// Parameters are `;`-delimited per RFC 7231 and the parameter *name* must
+    /// be exactly `boundary`, so a different parameter (`xboundary=FAKE`) or a
+    /// `boundary=` substring inside another parameter's value is not picked up
+    /// by an unanchored substring search. A `;` inside a quoted parameter
+    /// value (RFC 7230 quoted-string, `\` escapes the next byte) does not
+    /// delimit parameters.
     pub fn get_boundary(content_type: &[u8]) -> Option<&[u8]> {
-        let idx = ::bstr::ByteSlice::find(content_type, b"boundary=")?;
-        let begin = &content_type[idx + b"boundary=".len()..];
-        if begin.is_empty() {
-            return None;
+        let mut rest = content_type;
+        loop {
+            let semi = index_of_unquoted_semicolon(rest)?;
+            rest = &rest[semi + 1..];
+            let Some(begin) =
+                crate::strings_impl::trim_left(rest, b" \t").strip_prefix(b"boundary=")
+            else {
+                continue;
+            };
+            if begin.is_empty() {
+                return None;
+            }
+            let end = crate::strings_impl::index_of_char(begin, b';').unwrap_or(begin.len());
+            if begin[0] == b'"' {
+                if end > 1 && begin[end - 1] == b'"' {
+                    return Some(&begin[1..end - 1]);
+                }
+                // Opening quote with no matching closing quote — malformed.
+                return None;
+            }
+            return Some(&begin[..end]);
         }
-        let end = crate::strings_impl::index_of_char(begin, b';').unwrap_or(begin.len());
-        if begin[0] == b'"' {
-            if end > 1 && begin[end - 1] == b'"' {
-                return Some(&begin[1..end - 1]);
+    }
+
+    /// Index of the next `;` in `s` that is not inside an RFC 7230
+    /// quoted-string (`\` escapes the following byte inside quotes).
+    fn index_of_unquoted_semicolon(s: &[u8]) -> Option<usize> {
+        let mut in_quotes = false;
+        let mut i = 0;
+        while i < s.len() {
+            match s[i] {
+                b'"' => in_quotes = !in_quotes,
+                b'\\' if in_quotes => i += 1,
+                b';' if !in_quotes => return Some(i),
+                _ => {}
             }
-            // Opening quote with no matching closing quote — malformed.
-            return None;
+            i += 1;
         }
-        Some(&begin[..end])
+        None
     }
 
     /// `FormData.AsyncFormData` — heap-allocated, owns its `Encoding`.

diff --git a/src/bundler/linker_context/postProcessCSSChunk.rs b/src/bundler/linker_context/postProcessCSSChunk.rs
@@ -73,8 +73,22 @@ pub fn post_process_css_chunk(
             j.push_static(b"/* ");
             line_offset.advance(b"/* ");
 
-            j.push_static(pretty);
-            line_offset.advance(pretty);
+            // A `*/` in the path would terminate the comment early and let the
+            // rest of the path be parsed as CSS in the bundled output.
+            if bun_core::strings::contains(pretty, b"*/") {
+                let mut escaped = Vec::with_capacity(pretty.len() + 1);
+                for &byte in pretty {
+                    if byte == b'/' && escaped.last() == Some(&b'*') {
+                        escaped.push(b'\\');
+                    }
+                    escaped.push(byte);
+                }
+                line_offset.advance(&escaped);
+                j.push_owned(escaped.into_boxed_slice());
+            } else {
+                j.push_static(pretty);
+                line_offset.advance(pretty);
+            }
 
             j.push_static(b" */\n");
             line_offset.advance(b" */\n");

diff --git a/src/bundler/linker_context/postProcessJSChunk.rs b/src/bundler/linker_context/postProcessJSChunk.rs
@@ -680,8 +680,19 @@ pub fn post_process_js_chunk(
                 }
             }
 
-            j.push_static(pretty);
-            line_offset.advance(pretty);
+            // A `*/` in the path would terminate the block comment early and
+            // turn the rest of the path into generated JavaScript.
+            if matches!(comment_type, CommentType::Multiline) && strings::contains(pretty, b"*/") {
+                let mut sanitized = pretty.to_vec();
+                while let Some(i) = strings::index_of(&sanitized, b"*/") {
+                    sanitized[i + 1] = b'_';
+                }
+                line_offset.advance(&sanitized);
+                j.push_owned(sanitized.into_boxed_slice());
+            } else {
+                j.push_static(pretty);
+                line_offset.advance(pretty);
+            }
 
             if emit_targets_in_commands {
                 j.push_static(b" (");

diff --git a/src/http/Decompressor.rs b/src/http/Decompressor.rs
@@ -54,6 +54,11 @@ unsafe fn seat<'a>(input: &'a [u8], out: &'a mut Vec<u8>) -> (&'static [u8], &'s
     }
 }
 
+/// Decompression-bomb guard for response bodies inflated on the HTTP thread:
+/// a hostile server must not be able to expand a tiny compressed payload into
+/// an unbounded allocation.
+const MAX_DECOMPRESSED_BODY_SIZE: usize = 1024 * 1024 * 1024;
+
 impl Decompressor {
     // PORT NOTE: Zig `deinit` called `that.deinit()` on the active reader and
     // reset to `.none`. The boxed readers' `Drop` impls call `end()`, so an
@@ -77,7 +82,7 @@ impl Decompressor {
             let (input, out) = unsafe { seat(buffer, &mut body_out_str.list) };
             match encoding {
                 Encoding::Gzip | Encoding::Deflate => {
-                    let reader = ZlibReaderArrayList::init_with_options_and_list_allocator(
+                    let mut reader = ZlibReaderArrayList::init_with_options_and_list_allocator(
                         input,
                         out,
                         // PORT NOTE: Zig passed `body_out_str.allocator` and
@@ -97,26 +102,29 @@ impl Decompressor {
                             ..Default::default()
                         },
                     )?;
+                    reader.max_output_size = MAX_DECOMPRESSED_BODY_SIZE;
                     *self = Decompressor::Zlib(reader);
                     return Ok(());
                 }
                 Encoding::Brotli => {
-                    let reader = BrotliReaderArrayList::new_with_options(
+                    let mut reader = BrotliReaderArrayList::new_with_options(
                         input,
                         out,
                         // PORT NOTE: Zig passed `body_out_str.allocator`; dropped per §Allocators.
                         &Default::default(),
                     )?;
+                    reader.max_output_size = MAX_DECOMPRESSED_BODY_SIZE;
                     *self = Decompressor::Brotli(reader);
                     return Ok(());
                 }
                 Encoding::Zstd => {
-                    let reader = ZstdReaderArrayList::init_with_list_allocator(
+                    let mut reader = ZstdReaderArrayList::init_with_list_allocator(
                         input,
                         out,
                         // PORT NOTE: Zig passed `body_out_str.allocator` and
                         // `bun.http.default_allocator`; dropped per §Allocators.
                     )?;
+                    reader.max_output_size = MAX_DECOMPRESSED_BODY_SIZE;
                     *self = Decompressor::Zstd(reader);
                     return Ok(());
                 }

diff --git a/src/http_jsc/websocket_client/WebSocketUpgradeClient.rs b/src/http_jsc/websocket_client/WebSocketUpgradeClient.rs
@@ -993,6 +993,11 @@ impl<const SSL: bool> HTTPClient<SSL> {
         let me = unsafe { &mut *this };
         let mut body = data;
         if !me.body.is_empty() {
+            if me.body.len().saturating_add(data.len()) > bun_http::max_http_header_size() {
+                // SAFETY: `me`'s last use is above; no `&mut Self` spans this call.
+                unsafe { Self::terminate(this, ErrorCode::InvalidResponse) };
+                return;
+            }
             me.body.extend_from_slice(data);
             body = &me.body;
         }
@@ -1020,6 +1025,11 @@ impl<const SSL: bool> HTTPClient<SSL> {
             }
             Err(picohttp::ParseResponseError::ShortRead) => {
                 if me.body.is_empty() {
+                    if data.len() > bun_http::max_http_header_size() {
+                        // SAFETY: `me`'s last use is above; no `&mut Self` spans this call.
+                        unsafe { Self::terminate(this, ErrorCode::InvalidResponse) };
+                        return;
+                    }
                     me.body.extend_from_slice(data);
                 }
                 return;
@@ -1233,6 +1243,11 @@ impl<const SSL: bool> HTTPClient<SSL> {
         // Process as if it came directly from the socket
         let mut body = data;
         if !me.body.is_empty() {
+            if me.body.len().saturating_add(data.len()) > bun_http::max_http_header_size() {
+                // SAFETY: `me`'s last use is above; no `&mut Self` spans this call.
+                unsafe { Self::terminate(this, ErrorCode::InvalidResponse) };
+                return;
+            }
             me.body.extend_from_slice(data);
             body = &me.body;
         }
@@ -1257,6 +1272,11 @@ impl<const SSL: bool> HTTPClient<SSL> {
             }
             Err(picohttp::ParseResponseError::ShortRead) => {
                 if me.body.is_empty() {
+                    if data.len() > bun_http::max_http_header_size() {
+                        // SAFETY: `me`'s last use is above; no `&mut Self` spans this call.
+                        unsafe { Self::terminate(this, ErrorCode::InvalidResponse) };
+                        return;
+                    }
                     me.body.extend_from_slice(data);
                 }
                 return;

diff --git a/src/ini/lib.rs b/src/ini/lib.rs
@@ -257,6 +257,13 @@ mod draft {
 
     type OOM<T> = Result<T, AllocError>;
 
+    /// Hard cap on dot-separated segments in a section-header rope. The rope is
+    /// consumed by `E::Object::get_or_put_object`, which recurses once per
+    /// `rope.next` link, so an unbounded header overflows the stack. Past the
+    /// cap the remainder of the header (dots included) becomes the final
+    /// segment. Mirrors `MAX_DOTTED_KEY_SEGMENTS` in the TOML parser.
+    const MAX_SECTION_ROPE_SEGMENTS: usize = 512;
+
     // ──────────────────────────────────────────────────────────────────────────
     // Parser
     // ──────────────────────────────────────────────────────────────────────────
@@ -692,6 +699,7 @@ mod draft {
                 // RopeT is *Rope when usage==Section, else unit. In Rust we just
                 // keep an Option<&mut Rope> and ignore it for non-section usages.
                 let mut rope: Option<&'a mut Rope> = None;
+                let mut rope_parts: usize = 0;
 
                 let mut i: usize = 0;
                 'walk: while i < val.len() {
@@ -779,8 +787,10 @@ mod draft {
                                 did_any_escape = true;
                             }
                             b'.' => {
-                                if usage == Usage::Section {
+                                if usage == Usage::Section && rope_parts < MAX_SECTION_ROPE_SEGMENTS
+                                {
                                     self.commit_rope_part(bump, ropealloc, &mut unesc, &mut rope)?;
+                                    rope_parts += 1;
                                 } else {
                                     unesc.push(b'.');
                                 }
@@ -1069,10 +1079,11 @@ mod draft {
                 next: ptr::null_mut(),
             });
 
+            let mut segments: usize = 1;
             while dot_idx + 1 < key.len() {
                 let next_dot_idx = match next_dot(&key[dot_idx + 1..]) {
-                    Some(n) => dot_idx + 1 + n,
-                    None => {
+                    Some(n) if segments < MAX_SECTION_ROPE_SEGMENTS => dot_idx + 1 + n,
+                    _ => {
                         let rest = &key[dot_idx + 1..];
                         let _ = rope_head
                             .append(Expr::init(E::EString::init(rest), Loc::EMPTY), ropealloc)?;
@@ -1082,6 +1093,7 @@ mod draft {
                 let part = &key[dot_idx + 1..next_dot_idx];
                 let _ =
                     rope_head.append(Expr::init(E::EString::init(part), Loc::EMPTY), ropealloc)?;
+                segments += 1;
                 dot_idx = next_dot_idx;
             }