Advisories for Npm/Ws package

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

ws is an open source WebSocket client and server library for Node. In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers.

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent. Proof of concept const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', Sec-WebSocket-Extensions: ${payload}, 'Upgrade: websocket', '\r' …

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where …

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

A specially crafted value of the Sec-WebSocket-Extensions header that uses Object.prototype property names as extension or parameter names can be used to make a ws server crash.

It is possible to crash the node process by sending an overly long websocket payload to a ws server.

When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.