Skip to content

DoS due to excessively large websocket message in ws

High severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm ws (npm)

Affected versions

< 1.1.1

Patched versions

1.1.1

Description

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.105%
(44th percentile)

Weaknesses

CVE ID

CVE-2016-10542

GHSA ID

GHSA-6663-c963-2gqg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.