Description
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 3.3.1 >= 0.2.6, < 1.1.5** Patched version(s): **3.3.1 1.1.5**
References
Related Issues
- Denial of Service in apostrophe - Vulnerability
- Regular Expression Denial of Service in markdown - Vulnerability
- Regular Expression Denial of Service in millisecond - Vulnerability
- useragent Regular Expression Denial of Service vulnerability - CVE-2020-26311
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on March 23, 2023