Skip to content

Releases: websockets/ws

8.21.1

Choose a tag to compare

@lpinca lpinca released this 14 Jul 16:54

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c).
  • The default values of the maxBufferedChunks and maxFragments options have
    been reduced (f197ac6).

7.5.12

Choose a tag to compare

@lpinca lpinca released this 14 Jul 16:53

Bug fixes

6.2.5

Choose a tag to compare

@lpinca lpinca released this 14 Jul 16:52

Bug fixes

5.2.6

Choose a tag to compare

@lpinca lpinca released this 14 Jul 16:51

Bug fixes

8.21.0

Choose a tag to compare

@lpinca lpinca released this 22 May 18:03

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd4).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd4).

A high volume of tiny fragments and data chunks could be sent by a peer, using
modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the
maxPayload option if possible.

7.5.11

Choose a tag to compare

@lpinca lpinca released this 22 May 18:03

Bug fixes

6.2.4

Choose a tag to compare

@lpinca lpinca released this 22 May 18:03

Bug fixes

5.2.5

Choose a tag to compare

@lpinca lpinca released this 22 May 18:02

Bug fixes

8.20.1

Choose a tag to compare

@lpinca lpinca released this 12 May 15:47

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close()
    (c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Choose a tag to compare

@lpinca lpinca released this 21 Mar 17:29

Features

  • Added exports for the PerMessageDeflate class and utilities for the
    Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).