VYPR

npm package

ws

pkg:npm/ws

Vulnerabilities (4)

  • CVE-2024-37890HigJun 17, 2024
    affected >= 2.1.0, < 5.2.4fixed 5.2.4

    ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e

  • CVE-2021-32640May 25, 2021
    affected >= 7.0.0, < 7.4.6fixed 7.4.6

    ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425e

  • CVE-2016-10542HigMay 31, 2018
    affected < 1.1.1fixed 1.1.1

    ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

  • CVE-2016-10518HigMay 31, 2018
    affected < 1.0.1fixed 1.0.1

    A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly wha