There has been vulnerability in the ping functionality of thews module which allowed clients to allocate memory by simply sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally we always transform all data that we need to send to aBuffer instance and this is where the problem was. We didn't do any checks for the type of data we were sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

varx=newBuffer(100);// vsvarx=newBuffer('100');

This would allocate 100 bytes of memory in the first example and just 3 bytes with100 as value in the second example. So when the server would receive a ping message of1000 it would allocate 1000 bytes on the server and returned non-zeroed buffer to the client instead of the actual100 message.

varws=require('ws')varserver=newws.Server({port:9000})varclient=newws('ws://localhost:9000')client.on('open',function(){console.log('open')client.ping(50)// this makes the server return a non-zeroed buffer of 50 bytesclient.on('pong',function(data){console.log('got pong')console.log(data)// a non-zeroed out allocated buffer returned from the server})})

As you can imagine that is pretty darn dangerous so we fixed it as soon as we received a heads up about this. So I would like to thank@feross and@mafintosh for discovering this vulnerability and disclosing it to me so it could be resolved asap.