websocket-driver@0.2.2 vulnerabilities

WebSocket protocol handler with pluggable I/O

  • latest version

    0.7.4

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    4 years ago

  • licenses detected

    • >=0.1.0 <0.7.1
  • Direct Vulnerabilities

    Known vulnerabilities in the websocket-driver package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Denial of Service (DoS)

    websocket-driver is WebSocket protocol handler with pluggable I/O.

    Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The Buffer length is immediately allocated after reading the frame, up to a length that is no more that MAX_LENGTH, which is 2^53 - 1 (the largest precisely representable JS integer), and rejects larger frames with a 1009 error before creating the new Buffer. But Node buffers have a max length of 1GB (0x3fffffff). Parsing an incoming frame with length between 1GB and MAX_LENGTH, the parser will throw (and perhaps crash your whole server). Attackers can use this to their advantage and cause a Denial of Service on the servers.

    How to fix Denial of Service (DoS)?

    Upgrade websocket-driver to version 0.3.1 or higher.

    <0.3.1