[ANN] Denial-of-service bug affecting permessage-deflate-node, websocket-extensions-node and permessage-deflate-ruby

23 views

Skip to first unread message

James Coglan

unread,

Sep 10, 2017, 1:17:54 PM9/10/17

to faye-...@googlegroups.com, Node list, ruby-talk ML

Hi all,

I'm the maintainer of Faye (https://github.com/faye), a collection of WebSocket packages for Node.js and Ruby. I recently discovered a denial-of-service bug in the npm package `permessage-deflate`, whereby user input that adheres to the RFC can crash a WebSocket server by causing it to pass input that recent releases of zlib packaged with Node.js no longer accept.

A full write-up of this issue is available here:

https://github.com/faye/permessage-deflate-node/wiki/Denial-of-service-caused-by-invalid-windowBits-parameter-passed-to-zlib.createDeflateRaw()

The issue may also affect Ruby users if their Ruby is dynamically linked to a zlib release that includes the relevant changes, so I have pre-emptively issued a patch for the Ruby version.

We recommended you install the following packages if you are affected by this issue:

For npm:

- permessage-deflate 0.1.6

- websocket-extensions 0.1.2

For Ruby:

- permessage_deflate 0.1.4

James Coglan
http://jcoglan.com

Reply all

Reply to author

Forward

0 new messages