Skip to content

Releases: websockets/ws

7.5.2

04 Jul 05:32
Compare
Choose a tag to compare

Bug fixes

  • The opening handshake is now aborted if the client receives a
    Sec-WebSocket-Extensions header but no extension was requested or if the
    server indicates an extension not requested by the client (aca94c8).

7.5.1

29 Jun 05:17
Compare
Choose a tag to compare

Bug fixes

  • Fixed an issue that prevented the connection from being closed properly if an
    error occurred simultaneously on both peers (b434b9f).

7.5.0

16 Jun 13:15
Compare
Choose a tag to compare

Features

  • Some errors now have a code property describing the specific type of error
    that has occurred (#1901).

Bug fixes

  • A close frame is now sent to the remote peer if an error (such as a data
    framing error) occurs (8806aa9).
  • The close code is now always 1006 if no close frame is received, even if the
    connection is closed due to an error (8806aa9).

5.2.3

08 Jun 19:26
Compare
Choose a tag to compare

Bug fixes

6.2.2

07 Jun 11:23
Compare
Choose a tag to compare

Bug fixes

7.4.6

25 May 16:28
Compare
Choose a tag to compare

Bug fixes

  • Fixed a ReDoS vulnerability (00c425e).

A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.

7.4.5

18 Apr 08:21
Compare
Choose a tag to compare

Bug fixes

  • UTF-8 validation is now done even if utf-8-validate is not installed
    (23ba6b2).
  • Fixed an edge case where websocket.close() and websocket.terminate() did
    not close the connection (67e25ff).

7.4.4

06 Mar 20:45
Compare
Choose a tag to compare

Bug fixes

  • Fixed a bug that could cause the process to crash when using the
    permessage-deflate extension (9277437).

7.4.3

02 Feb 19:18
Compare
Choose a tag to compare

Bug fixes

  • The deflate/inflate stream is now reset instead of reinitialized when context
    takeover is disabled (#1840).

7.4.2

29 Dec 20:18
Compare
Choose a tag to compare

Bug fixes

  • Silenced a deprecation warning (a2c0d44).