Hi all,
I'm the maintainer of Faye (
https://github.com/faye), a collection of WebSocket packages for Node.js and Ruby. I recently discovered a denial-of-service bug in the npm package `permessage-deflate`, whereby user input that adheres to the RFC can crash a WebSocket server by causing it to pass input that recent releases of zlib packaged with Node.js no longer accept.
A full write-up of this issue is available here:
The issue may also affect Ruby users if their Ruby is dynamically linked to a zlib release that includes the relevant changes, so I have pre-emptively issued a patch for the Ruby version.
We recommended you install the following packages if you are affected by this issue:
For npm:
- permessage-deflate 0.1.6
- websocket-extensions 0.1.2
For Ruby:
- permessage_deflate 0.1.4
--