⚠️ This release contains an important security fix ⚠️
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0
, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
Bug Fixes
- properly handle invalid data sent by a malicious websocket client (c0e194d)
Links
- Diff: 6.1.0...6.1.1
- Client release: -
- ws version: ~8.2.3