QID 980496
QID 980496: Nodejs (npm) Security Update for ws (GHSA-6fc8-4gx4-v693)
Security update has been released for ws to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.
Solution
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c1479002022a3e4357b3c9f0e23a68d4cd2).Workaround:
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Vendor References
- GHSA-6fc8-4gx4-v693 -
github.com/advisories/GHSA-6fc8-4gx4-v693
CVEs related to QID 980496
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-6fc8-4gx4-v693 | ws |
github.com/advisories/GHSA-6fc8-4gx4-v693 |