[Security] Bump ws from 8.18.3 to 8.21.1
Bumps ws from 8.18.3 to 8.21.1. This update includes security fixes.
Vulnerabilities fixed
ws: Uninitialized memory disclosure
Impact
The
websocket.close()implementation is vulnerable to uninitialized memory disclosure when aTypedArrayis passed as the reason argument.Proof of concept
import { deepStrictEqual } from 'node:assert'; import { WebSocket, WebSocketServer } from 'ws';const wss = new WebSocketServer( { port: 0, skipUTF8Validation: true }, function () { const { port } = wss.address(); const ws = new WebSocket(
ws://localhost:${port}, { skipUTF8Validation: true });ws.on('close', function (code, reason) { deepStrictEqual(reason, Buffer.alloc(80));
</tr></table>
... (truncated)
Patched versions: 8.20.1
Affected versions: >= 8.0.0, < 8.20.1
ws: Memory exhaustion DoS from tiny fragments and data chunks
Impact
A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.
Proof of concept
import { WebSocket, WebSocketServer } from 'ws';const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(
ws://localhost:${port});
ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); </tr></table>
... (truncated)
Patched versions: 8.21.0; 7.5.11; 6.2.4; 5.2.5
Affected versions: >= 8.0.0, < 8.21.0; >= 7.0.0, < 7.5.11; >= 6.0.0, < 6.2.4; >= 1.1.0, < 5.2.5
Release notes
Sourced from ws's releases.
8.21.1
Bug fixes
- Empty fragments are now counted toward the limit (a2f4e7c0).
- The default values of the
maxBufferedChunksandmaxFragmentsoptions have been reduced (f197ac65).8.21.0
Features
- Introduced the
maxBufferedChunksandmaxFragmentsoptions (2b2abd45).Bug fixes
- Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).
A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a
wsserver or client due to OOM.import { WebSocket, WebSocketServer } from 'ws';const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(
ws://localhost:${port});ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });
ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(
client close - code: ${code} reason: ${reason.toString()}); }); });
wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(server close - code: ${code} reason: ${reason.toString()}); }); });
... (truncated)
Commits
ae1de54[dist] 8.21.18e9511b[ci] Trust Coveralls Homebrew tapf197ac6[fix] Lower default values ofmaxBufferedChunksandmaxFragments8df8265[ci] Update actions/checkout action to v7a2f4e7c[fix] Count empty fragments toward the limit (#2329)e79f912[pkg] Approve install scripts for bufferutil and utf-8-validate4ea355d[doc] Document 32-bit signed integer coercion for option values2120f4c[example] Remove uuid dependency4c534a6[security] Add latest vulnerability to SECURITY.mdbca91ad[dist] 8.21.0- Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts