[Security] Bump ws from 8.18.3 to 8.21.1

Bumps ws from 8.18.3 to 8.21.1. This update includes security fixes.

Vulnerabilities fixed

ws: Uninitialized memory disclosure

Impact

The websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.

Proof of concept

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer( { port: 0, skipUTF8Validation: true }, function () { const { port } = wss.address(); const ws = new WebSocket(ws://localhost:${port}, { skipUTF8Validation: true });

ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));

</tr></table>

... (truncated)

Patched versions: 8.20.1
Affected versions: >= 8.0.0, < 8.20.1

ws: Memory exhaustion DoS from tiny fragments and data chunks

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(ws://localhost:${port});

ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); </tr></table>

... (truncated)

Patched versions: 8.21.0; 7.5.11; 6.2.4; 5.2.5
Affected versions: >= 8.0.0, < 8.21.0; >= 7.0.0, < 7.5.11; >= 6.0.0, < 6.2.4; >= 1.1.0, < 5.2.5

Release notes

Sourced from ws's releases.

8.21.1

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c0).
  • The default values of the maxBufferedChunks and maxFragments options have been reduced (f197ac65).

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(ws://localhost:${port});

ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });

ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(client close - code: ${code} reason: ${reason.toString()}); }); });

wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(server close - code: ${code} reason: ${reason.toString()}); }); });

... (truncated)

Commits
  • ae1de54 [dist] 8.21.1
  • 8e9511b [ci] Trust Coveralls Homebrew tap
  • f197ac6 [fix] Lower default values of maxBufferedChunks and maxFragments
  • 8df8265 [ci] Update actions/checkout action to v7
  • a2f4e7c [fix] Count empty fragments toward the limit (#2329)
  • e79f912 [pkg] Approve install scripts for bufferutil and utf-8-validate
  • 4ea355d [doc] Document 32-bit signed integer coercion for option values
  • 2120f4c [example] Remove uuid dependency
  • 4c534a6 [security] Add latest vulnerability to SECURITY.md
  • bca91ad [dist] 8.21.0
  • Additional commits viewable in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading