⚠️ This release contains an important security fix ⚠️
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0
, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
Bug Fixes
- properly handle invalid data sent by a malicious websocket client (a70800d)
Links
- Diff: 4.1.1...4.1.2
- Client release: -
- ws version: ~7.4.2