Homepage

websocket-driver@0.2.0 vulnerabilities

WebSocket protocol handler with pluggable I/O

  • latest version

    0.7.4

  • latest non vulnerable version

    0.7.4

  • first published

    11 years ago

  • latest version published

    4 years ago

  • licenses detected

    • MIT
      >=0.1.0 <0.7.1
  • View websocket-driver package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the websocket-driver package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Denial of Service (DoS)

    websocket-driver is WebSocket protocol handler with pluggable I/O.

    Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The Buffer length is immediately allocated after reading the frame, up to a length that is no more that MAX_LENGTH, which is 2^53 - 1 (the largest precisely representable JS integer), and rejects larger frames with a 1009 error before creating the new Buffer. But Node buffers have a max length of 1GB (0x3fffffff). Parsing an incoming frame with length between 1GB and MAX_LENGTH, the parser will throw (and perhaps crash your whole server). Attackers can use this to their advantage and cause a Denial of Service on the servers.

    How to fix Denial of Service (DoS)?

    Upgrade websocket-driver to version 0.3.1 or higher.

    <0.3.1
    Go back to all versions of this package