Homepage
About Snyk

websocket-driver@0.3.0 vulnerabilities

WebSocket protocol handler with pluggable I/O

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the websocket-driver package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

websocket-driver is WebSocket protocol handler with pluggable I/O.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The Buffer length is immediately allocated after reading the frame, up to a length that is no more that MAX_LENGTH, which is 2^53 - 1 (the largest precisely representable JS integer), and rejects larger frames with a 1009 error before creating the new Buffer. But Node buffers have a max length of 1GB (0x3fffffff). Parsing an incoming frame with length between 1GB and MAX_LENGTH, the parser will throw (and perhaps crash your whole server). Attackers can use this to their advantage and cause a Denial of Service on the servers.

How to fix Denial of Service (DoS)?

Upgrade websocket-driver to version 0.3.1 or higher.

<0.3.1
Go back to all versions of this package