Update dependency ws to 7.4.6 [SECURITY] #819

renovate · 2021-05-29T15:25:46Z

This PR contains the following updates:

Package	Change
ws	`7.2.5` -> `7.4.6`

GitHub Vulnerability Alerts

CVE-2021-32640

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in [email protected] (websockets/ws@00c425e) and backported to [email protected] (websockets/ws@78c676d) and [email protected] (websockets/ws@76d47c1).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

renovate-approve bot approved these changes May 29, 2021

View reviewed changes

renovate bot force-pushed the renovate/npm-ws-vulnerability branch from f975151 to 46de3bb Compare June 1, 2021 17:21

renovate bot changed the title ~~Update dependency ws to 7.4.6 [SECURITY]~~ Update dependency ws to 7.4.6 [SECURITY] - autoclosed Jun 1, 2021

renovate bot closed this Jun 1, 2021

renovate bot deleted the renovate/npm-ws-vulnerability branch June 1, 2021 21:24

renovate bot changed the title ~~Update dependency ws to 7.4.6 [SECURITY] - autoclosed~~ Update dependency ws to 7.4.6 [SECURITY] Jun 2, 2021

renovate bot reopened this Jun 2, 2021

renovate bot restored the renovate/npm-ws-vulnerability branch June 2, 2021 07:55

renovate bot force-pushed the renovate/npm-ws-vulnerability branch 11 times, most recently from 4a7f3b8 to 63b89de Compare June 8, 2021 03:21

renovate bot force-pushed the renovate/npm-ws-vulnerability branch 7 times, most recently from 3b34618 to c387d51 Compare June 15, 2021 00:41

renovate bot force-pushed the renovate/npm-ws-vulnerability branch 4 times, most recently from e7f6677 to 2f89a66 Compare June 18, 2021 23:22

renovate bot force-pushed the renovate/npm-ws-vulnerability branch 10 times, most recently from 45a544d to b751d47 Compare August 2, 2021 15:01

renovate bot force-pushed the renovate/npm-ws-vulnerability branch 9 times, most recently from 3a94afc to c0e6cfb Compare August 11, 2021 05:15

renovate bot force-pushed the renovate/npm-ws-vulnerability branch 7 times, most recently from fac15a5 to cefc1d0 Compare August 14, 2021 20:43

Update dependency ws to 7.4.6 [SECURITY]

799dd59

renovate bot force-pushed the renovate/npm-ws-vulnerability branch from cefc1d0 to 799dd59 Compare August 14, 2021 21:27

renovate bot merged commit e5c88d3 into master Aug 14, 2021

renovate bot deleted the renovate/npm-ws-vulnerability branch August 14, 2021 22:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency ws to 7.4.6 [SECURITY] #819

Update dependency ws to 7.4.6 [SECURITY] #819

renovate bot commented May 29, 2021 •

edited

Loading

Update dependency ws to 7.4.6 [SECURITY] #819

Update dependency ws to 7.4.6 [SECURITY] #819

Conversation

renovate bot commented May 29, 2021 • edited Loading

GitHub Vulnerability Alerts

CVE-2021-32640

Impact

Proof of concept

Patches

Workarounds

Credits

Configuration

renovate bot commented May 29, 2021 •

edited

Loading