保護DataHogo
Security Encyclopedia/Serverless & Cloud
mediumCWE-400A02:2021

Cold Start State Leak

Global variables in serverless functions persist across invocations in the same execution environment, leaking user data between requests.

How It Works

Module-level variables in a Lambda function are initialized once and reused across warm invocations. If you cache a user object or request data in a global variable for performance, the next invocation in the same container reads the previous user's data before overwriting it — a classic TOCTOU issue in serverless.

Vulnerable Code
// BAD: user data stored in module-level variable leaks across invocations
let currentUser: User | null = null; // persists between warm invocations!

export const handler = async (event) => {
  currentUser = await getUser(event.userId);
  return processRequest(currentUser);
};
Secure Code
// GOOD: keep all user-specific data inside the handler scope
export const handler = async (event) => {
  const currentUser = await getUser(event.userId); // local scope only
  return processRequest(currentUser);
};

Real-World Example

A fintech reported a bug where users occasionally saw another user's account balance. The root cause was a module-level cache variable that held the previous invocation's user data during the brief window before the new user's data was loaded.

How to Prevent It

  • Never store user-specific or request-specific data in module-level variables
  • Limit global variables to truly static configuration (environment values, initialized clients)
  • If you cache expensive resources globally (DB connections), ensure the cached object has no user data attached
  • Add integration tests that simulate consecutive invocations from different users

Affected Technologies

aws-lambdaNode.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Function Timeout Abuse

medium

Serverless functions without a configured timeout can be kept running indefinitely by malicious or malformed requests, draining your budget.

CWE-400A05:2021

Over-privileged IAM Roles

medium

Giving serverless functions or services more IAM permissions than they need turns a minor breach into a full account compromise.

CWE-269A01:2021

Environment Variables in Logs

high

Logging process.env dumps all your secrets — API keys, database passwords, signing keys — directly into your log system.

CWE-532A09:2021

Shared /tmp State

medium

Serverless functions reuse execution environments between invocations, so sensitive files written to /tmp can be read by later requests from different users.

CWE-377A02:2021