Recommended update: websocket-extensions 0.1.3

Skip to first unread message

James Coglan

Nov 11, 2017, 6:36:40 AM11/11/17
Hi folks,

There was recently a security advisory about the ws package relating to its handling of the Sec-WebSocket-Extensions header:

This bug meant that a client could send a header containing JavaScript Object property names, for example

    Sec-WebSocket-Extensions: hasOwnProperty

in its handshake, and this would cause an error in the handshake parser and crash the process.

I looked into whether websocket-extensions is vulnerable to this. It does have the same bug, but it should not cause a denial of service. It is already a documented feature of its API that it throws an error on invalid headers, and so websocket-driver and everything built on top of that is written to catch any errors from websocket-extensions.

So for our modules, the bug just means the socket connection fails, but the server keeps running. This is probably fine since a client sending extensions with these names is probably malicious and not something a legit end user is relying on.

I've just released websocket-extensions 0.1.3 which fixes this error, so the header is parsed successfully and the unknown extension names are ignored. I'd recommend everyone install this update as soon as possible.

Reply all
Reply to author
0 new messages