yarn ws 7.4.6

latest releases: 8.2.0, 8.1.0, 8.0.0...
3 years ago

Bug fixes

  • Fixed a ReDoS vulnerability (00c425e).

A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.

Don't miss a new ws release

NewReleases is sending notifications on new releases.