Description
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 3.3.1 >= 0.2.6, < 1.1.5** Patched version(s): **3.3.1 1.1.5**
References
Related Issues
- ws affected by a DoS when handling a request with many HTTP headers - CVE-2024-37890
- Remote Memory Disclosure in ws - CVE-2016-10518
- Lobe Chat API Key Leak - CVE-2024-37895
- Open redirect in karma - CVE-2021-23495
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on March 23, 2023