Skip to content

[Security] Bump ws from 7.5.8 to 7.5.10 in /frontend

Dependabot requested to merge dependabot-npm_and_yarn-frontend-ws-7.5.10 into master

Bumps ws from 7.5.8 to 7.5.10. This update includes a security fix.

Vulnerabilities fixed

ws affected by a DoS when handling a request with many HTTP headers

Impact

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];

</tr></table>

... (truncated)

Patched versions: 7.5.10 Affected versions: >= 7.0.0, < 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

  • Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

  • Backported bc8bd34e to the 7.x release line (0435e6e1).
Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading