SockJS-node DoS vulnerability - upgrade faye-websocket to 0.7.2

129 views
Skip to first unread message

Marek Majkowski

unread,
Dec 29, 2013, 4:12:26 PM12/29/13
to SockJS
Hi,

Zarel discovered[1] an interesting problem in faye-websocket[2]
package. It's the package used by sockjs-node for websocket encoding.

Consider upgrading faye-websocket via npm.

Cheers,
Marek


[1] https://github.com/sockjs/sockjs-node/pull/146
[2] https://github.com/faye/websocket-driver-node

Chris-S

unread,
Mar 10, 2014, 12:57:20 AM3/10/14
to soc...@googlegroups.com
Hi,

To avoid these DoS attacks:

I deleted my 0.3.0 version of sockjs
Got the latest version of sockjs, In the node folder: npm install sockjs

But what do I go to install websocket-driver if sockjs is already compiled?

And/or how to confirm it is using fay > 0.7.2  (or >= 0.7.2 which is unclear in the above link [1])

Regards

-ChrisS
Reply all
Reply to author
Forward
0 new messages