[GHSA-5v72-xg48-5rpm] Denial of Service in ws

[RainSignal]

Updates

• Affected products

Comments

Reason for change

The current advisory states that versions >= 0.2.6, < 1.1.5 are affected. However, code inspection suggests that the vulnerability was introduced later.

The vulnerable code resides in lib/Extensions.js, specifically in the parse() function:

var paramsList = extensions[token] = extensions[token] || [];
...
(parsedParams[key] = parsedParams[key] || []).push(value);

which stores extension names and parameter names in ordinary JavaScript objects without excluding inherited properties from Object.prototype.

Relevant source:

• v0.6:
  https://github.com/websockets/ws/blob/0.6/lib/Extensions.js

The same vulnerable logic is also present in later branches and is fixed by:

• v1.x branch:
  websockets/ws@f8fdcd4

• master / v3.x branch:
  websockets/ws@c4fe466

The fixes introduce explicit hasOwnProperty() checks:

if (extensions[token] === undefined) {
  extensions[token] = [];
} else if (!extensions.hasOwnProperty(token)) {
  return;
}

and

if (parsedParams[key] === undefined) {
  parsedParams[key] = [value];
} else if (parsedParams.hasOwnProperty(key)) {
  parsedParams[key].push(value);
}

which prevent names inherited from Object.prototype (such as constructor, toString, and hasOwnProperty) from being interpreted as extension or parameter storage.

To determine the introduction version, I inspected releases prior to 0.6 and found that they do not contain lib/Extensions.js, and therefore do not contain the vulnerable parsing logic.

I reproduced the issue on v0.6 using:

Sec-WebSocket-Extensions: constructor

which causes parse() to access inherited properties and eventually raises:

TypeError: paramsList.push is not a function

resulting in a denial of service.

Based on the source code history and reproduction results, the affected range should begin at 0.6.0, not 0.2.6.

Suggested affected range:

>= 0.6.0, < 1.1.5
>= 2.0.0, < 3.3.1