Vulnerabilities

1 via 1 paths

Dependencies

21

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: ws
  • Introduced through: ws@6.2.5

Detailed paths

  • Introduced through: ilp-plugin-btp@interledgerjs/ilp-plugin-btp ws@6.2.5
    Remediation: Upgrade to ws@8.21.1.

Overview

ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the receiver.js. An attacker can cause memory exhaustion by sending incomplete fragmented WebSocket messages, specifically by transmitting a text frame with FIN=0 followed by multiple continuation frames without completing the sequence, resulting in each fragment being stored as a separate Buffer object with significant overhead.

Remediation

Upgrade ws to version 8.21.1 or higher.

References