Sorry for not using the template, it doesn't work well for this type of report.

It is possible to DoS anyone using WA2 due to a combination of features provided by underlying libraries and improper sender validation by WA2.

AceComm

Data communication has very low throughput in WoW; furthermore only small messages can be sent.
AceComm solves this issue by cutting up the message and stitching it back together on the receiving end. This is a risk in and of itself, in theory I could send anyone random data until they run out of memory, it would take several hours without a reload for this to be effective though.

When receiving a large stream of data, say 10M, the addon (WA2) receives this data in one go, so while it might have taken the sender a few minutes to send, from perspective of the addon the message is received instantly.

LibDeflate

When WA receives data, instead of checking whether the sender is trusted, it first passes the data to LibDeflate (or LibCompress which is probably even easier to exploit due to its worse performance).
LibDeflate runs in a tightloop freezing the screen until it is done unpacking.

Reproduction

I have tested this and have been able to freeze up people via whisper (I asked their permission first of course), I won't post the code
here since it can be abused. I couldn't yet reproduce it in PARTY, due to this part:

if distribution == "PARTY" or distribution == "RAID" then
    local dest, msg = string.match(message, "^§§([^:]+):(.+)$")
    if dest then
      local dName, dServer = string.match(dest, "^(.*)-(.*)$")
      local myName, myServer = UnitFullName("player")
      if myName == dName and myServer == dServer then
        message = msg
      else
        return
      end
    end
  end

But it should be simple to modify payload to pass this test (as the goal of that code is not security, it is just randomly tripping up my payload).

Note that it will also work in GUILD, SAY, INSTANCE_CHAT etc.

Solution

There are several possible solutions to the problem:

1. Enforce a hard message limit on WeakAuras messages
2. Use coroutines to throttle decompression & deserialization (rossnichols/LibSerialize#7, SafeteeWoW/LibDeflate#8)
3. Negotiate or confirm larger messages before processing them.

One thing to consider is whether supporting all chat channels is really required, if you don't expect (large) messages via SAY they should be discarded instead of being processed.

We now first check the safeSenders list, which looks to me like it would prevent it without any further work.

Yes it should!