8.18.0
13 years ago
5 months ago
Known vulnerabilities in the ws package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the ##PoC
How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | >=7.0.0 <7.4.6>=6.0.0 <6.2.2<5.2.3 |
ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Denial of Service (DoS)
attacks. A specially crafted value of the PoC:
How to fix Denial of Service (DoS)? Upgrade | <1.1.5>=2.0.0 <3.3.1 |
Affected versions of the package use the cryptographically insecure DetailsComputers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value. In general, if a PRNG algorithm is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. You can read more about node's insecure How to fix Insecure Randomness? Upgrade | <1.1.2 |
Affected versions of this package did not limit the size of an incoming payload before it was processed by default. As a result, a very large payload (over 256MB in size) could lead to a failed allocation and crash the node process - enabling a Denial of Service attack. While 256MB may seem excessive, note that the attack is likely to be sent from another server, not an end-user computer, using data-center connection speeds. In those speeds, a payload of this size can be transmitted in seconds. How to fix Denial of Service (DoS)? Update to version 1.1.1 or greater, which sets a default | <1.1.1 |
A client side memory disclosure vulnerability exists in ping functionality of the ws service. When a client sends a ping request and provides an integer value as ping data, it will result in leaking an uninitialized memory buffer. This is a result of unobstructed use of the
Proof of Concept:
| <1.0.1 |