[Security] Bump ws from 7.5.9 to 7.5.10 (!227) · Merge requests · school / jaar2 / billy

Dependabot requested to merge dependabot-npm_and_yarn-ws-7.5.10 into master Jun 18, 2024

Bumps ws from 7.5.9 to 7.5.10. This update includes a security fix.

Vulnerabilities fixed

ws affected by a DoS when handling a request with many HTTP headers

Impact

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];

</tr></table>

... (truncated)

Patched versions: 7.5.10 Affected versions: >= 7.0.0, < 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

Backported e55e5106 to the 7.x release line (22c28763).

Commits

d962d70 [dist] 7.5.10
22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump ws from 7.5.9 to 7.5.10

Impact

Proof of concept

7.5.10

Bug fixes

Merge request reports