Sourced fromThe GitHub Security Advisory Database.

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of theSec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for(constlengthof[1000,2000,4000,8000,16000,32000]){constvalue='b'+' '.repeat(length)+'x';conststart=process.hrtime.bigint();value.trim().split(/*,*/);constend=process.hrtime.bigint();console.log('length = %d, time = %f ns',length,end-start);}

Patches

... (truncated)

Affected versions: >= 7.0.0 < 7.4.6

Sourced fromThe GitHub Security Advisory Database.

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of theSec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for(constlengthof[1000,2000,4000,8000,16000,32000]){constvalue='b'+' '.repeat(length)+'x';conststart=process.hrtime.bigint();value.trim().split(/*,*/);constend=process.hrtime.bigint();console.log('length = %d, time = %f ns',length,end-start);}

Patches

... (truncated)

Affected versions: >= 5.0.0 < 7.4.5

Sourced fromThe GitHub Security Advisory Database.

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of theSec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for(constlengthof[1000,2000,4000,8000,16000,32000]){constvalue='b'+' '.repeat(length)+'x';conststart=process.hrtime.bigint();value.trim().split(/*,*/);constend=process.hrtime.bigint();console.log('length = %d, time = %f ns',length,end-start);}

Patches

... (truncated)

Affected versions: >= 5.0.0 < 7.4.6

Sourced fromws's releases.

7.5.3

Bug fixes

• TheWebSocketServer constructor now throws an error if more than one of thenoServer,server, andport options are specefied (66e58d27).
• Fixed a bug where a'close' event was emitted by aWebSocketServer beforethe internal HTTP/S server was actually closed (5a587304).
• Fixed a bug that allowed WebSocket connections to be established afterWebSocketServer.prototype.close() was called (772236a1).

7.5.2

Bug fixes

• The opening handshake is now aborted if the client receives aSec-WebSocket-Extensions header but no extension was requested or if theserver indicates an extension not requested by the client (aca94c86).

7.5.1

Bug fixes

• Fixed an issue that prevented the connection from being closed properly if anerror occurred simultaneously on both peers (b434b9f1).

7.5.0

Features

• Some errors now have acode property describing the specific type of errorthat has occurred (#1901).

Bug fixes

• A close frame is now sent to the remote peer if an error (such as a dataframing error) occurs (8806aa9a).
• The close code is now always 1006 if no close frame is received, even if theconnection is closed due to an error (8806aa9a).

7.4.6

Bug fixes

• Fixed a ReDoS vulnerability (00c425ec).

A specially crafted value of theSec-Websocket-Protocol header could be usedto significantly slow down a ws server.

for(constlengthof[1000,2000,4000,8000,16000,32000]){constvalue='b'+' '.repeat(length)+'x';conststart=process.hrtime.bigint();value.trim().split(/*,*/);</tr></table>

... (truncated)

• 4c1849a [dist] 7.5.3
• 772236a [fix] Abort the handshake if the server is closing or closed
• 5a58730 [fix] Emit the'close' event after the server is closed
• ea63b29 [minor] Fix typo
• 66e58d2 [fix] Make the{noS,s}erver, andport options mutually exclusive
• ecb9d9e [minor] Improve JSDoc-inferred types (#1912)
• 0ad1f9d [dist] 7.5.2
• aca94c8 [fix] Abort the handshake if an unexpected extension is received
• 38c6c73 [dist] 7.5.1
• 2916006 [test] Add more tests forWebSocket.prototype.close()
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabotdashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)