Fix crash when the Upgrade header cannot be read #2231

lpinca · 2024-06-15T20:09:17Z

It is possible that the Upgrade header is correctly received and handled
(the 'upgrade' event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
server.maxHeadersCount or request.maxHeadersCount threshold. In this
case incomingMessage.headers.upgrade may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230

It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230

Bumps ws from 7.5.9 to 7.5.10 to address crash when the Upgrade header cannot be read. See websockets/ws#2231.

In particular: websockets/ws#2230 websockets/ws#2231

lpinca mentioned this pull request Jun 15, 2024

Throws TypeError when there are too many HTTP headers #2230

Closed

1 task

lpinca force-pushed the fix/issue-2230 branch from e009fc7 to dec10b6 Compare June 16, 2024 09:18

lpinca changed the title ~~Abort the handshake if the Upgrade header cannot be validated~~ Fix crash when the Upgrade header cannot be read Jun 16, 2024

lpinca merged commit fac8994 into master Jun 16, 2024
85 checks passed

lpinca deleted the fix/issue-2230 branch June 16, 2024 09:30

mina86 mentioned this pull request Jun 18, 2024

build(deps): bump ws from 7.5.9 to 7.5.10 ComposableFi/emulated-light-client#347

Merged

mina86 pushed a commit to ComposableFi/emulated-light-client that referenced this pull request Jun 18, 2024

build(deps): bump ws from 7.5.9 to 7.5.10 (#347)

08ffbb0

Bumps ws from 7.5.9 to 7.5.10 to address crash when the Upgrade header cannot be read. See websockets/ws#2231.

ojengwa mentioned this pull request Jun 18, 2024

Upgrade WS dependency - ws affected by a DoS when handling a request with many HTTP headers nestjs/graphql#3215

Closed

4 tasks

PavelMor25 mentioned this pull request Jun 19, 2024

ws affected by a DoS when handling a request with many HTTP headers PavelMor25/testcafe-private#84

Open

1 task

Knightplayzz mentioned this pull request Jun 21, 2024

ws affected by a DoS when handling a request with many HTTP headers discordjs/discord.js#10359

Closed

debricked bot mentioned this pull request Jun 22, 2024

Fix CVE–2024–37890 black-da-bull/gpt-crawler#4

Closed

github-actions bot mentioned this pull request Jun 22, 2024

chore(deps): update dependency coder/code-server to v4.90.3 uniget-org/tools#5476

Merged

1 task

torokati44 mentioned this pull request Jun 24, 2024

chore: web: Regenerate package-lock.json ruffle-rs/ruffle#16863

Merged

chinthliss added a commit to chinthliss/MuckWebInterface that referenced this pull request Jun 25, 2024

build: Update dependencies to fix warning

14b3561

In particular: websockets/ws#2230 websockets/ws#2231

elischutze mentioned this pull request Jun 26, 2024

Security vulnerability in ws package, upgrade to at least 8.17.1 tedeh/jayson#229

Closed

github-actions bot mentioned this pull request Jun 26, 2024

Added decktape uniget-org/tools#5562

Merged

This was referenced Jul 7, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.17.1 X-oss-byte/ccxt#47

Open

[Snyk] Upgrade ws from 8.2.3 to 8.17.1 X-oss-byte/ganache#623

Open

Exkaleburx mentioned this pull request Jul 7, 2024

[Snyk] Upgrade ws from 8.16.0 to 8.17.1 Exkaleburx/ccxt#35

Open

NOUIY mentioned this pull request Jul 8, 2024

[Snyk] Upgrade ws from 8.12.0 to 8.17.1 NOUIY/vscode-extension-samples#773

Open

Ramyromel mentioned this pull request Jul 8, 2024

[Snyk] Upgrade ws from 8.17.0 to 8.17.1 Ramyromel/polkadot-wiki#5

Open

taeb3 mentioned this pull request Jul 8, 2024

[Snyk] Upgrade ws from 7.5.10 to 8.17.1 taeb3/gitlabs#139

Open

FaroukAmr mentioned this pull request Jul 8, 2024

[Snyk] Upgrade ws from 8.11.0 to 8.17.1 FaroukAmr/Web-Application#1043

Open

rater193 mentioned this pull request Jul 8, 2024

[Snyk] Upgrade ws from 8.2.3 to 8.17.1 Homestead-Game-Development/Voxels-Edge-Server#27

Open

github-actions bot mentioned this pull request Aug 15, 2024

High severity - Denial of Service (DoS) vulnerability in ws (package.json) jordaniac89/juice-shop#216

Open

tim2zg mentioned this pull request Aug 16, 2024

[Snyk] Upgrade ws from 8.16.0 to 8.18.0 tim2zg/ioBroker.fronius-wattpilot#58

Merged

This was referenced Aug 21, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 ramzimalhas/SillyTavern#4

Open

[Snyk] Upgrade ws from 8.8.1 to 8.18.0 ramzimalhas/BrowserBox#2

Open

qdraw mentioned this pull request Aug 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 qdraw/starsky#1666

Merged

mtsammy40 mentioned this pull request Aug 29, 2024

[Snyk] Upgrade ws from 8.17.0 to 8.18.0 mtsammy40/crypto_alerts_api#3

Open

TitiLaPierre mentioned this pull request Sep 1, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 TitiLaPierre/TicTacToe_NodeJS#5

Merged

X-oss-byte mentioned this pull request Sep 7, 2024

[Snyk] Upgrade: , , , , , , , , , , , , , , , , bip39, bufferutil, emittery, eth-sig-util, leveldown, tmp-promise, utf-8-validate, ws X-oss-byte/ganache#677

Open

taeb3 mentioned this pull request Sep 7, 2024

[Snyk] Upgrade: browser-or-node, chai, isomorphic-ws, q, thrift, ws taeb3/gitlabs#155

Open

FaroukAmr mentioned this pull request Sep 8, 2024

[Snyk] Upgrade: , dotenv, express, express-rate-limit, express-session, helmet, moment, mongoose, nodemailer, pdfkit, ws FaroukAmr/Web-Application#1141

Open

rater193 mentioned this pull request Sep 9, 2024

[Snyk] Upgrade: folder-hash, simplex-noise, websocket, ws Homestead-Game-Development/Voxels-Edge-Server#31

Open

This was referenced Sep 9, 2024

[Snyk] Upgrade: ioredis, serve-handler, ws WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#481

Open

[Snyk] Upgrade: amqplib, level, serve-handler, superagent, ws WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#500

Open

This was referenced Sep 13, 2024

[Snyk] Upgrade: ms, debug, glob, https-proxy-agent, socks-proxy-agent, stack-utils, ws organich/playwright#3

Open

[Snyk] Upgrade: , , acorn, data-uri-to-buffer, dotenv, glob-stream, preact, reflect-metadata, ws organich/vscode-js-debug#1

Open

FaroukAmr mentioned this pull request Sep 14, 2024

[Snyk] Upgrade: , dotenv, express, express-rate-limit, express-session, helmet, moment, mongoose, nodemailer, pdfkit, ws FaroukAmr/Web-Application#1146

Open

organich mentioned this pull request Sep 15, 2024

[Snyk] Upgrade: , , acorn, astring, data-uri-to-buffer, dotenv, glob-stream, preact, reflect-metadata, ws organich/vscode-js-debug#2

Open

Roseymr mentioned this pull request Sep 17, 2024

[Snyk] Upgrade ws from 8.16.0 to 8.18.0 Roseymr/ccxt#3

Open

WontonSam mentioned this pull request Sep 18, 2024

[Snyk] Upgrade: amqplib, level, serve-handler, superagent, ws WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#535

Open

X-oss-byte mentioned this pull request Sep 19, 2024

[Snyk] Upgrade: , , , , , , , , , , , , , , , , bip39, bufferutil, emittery, eth-sig-util, leveldown, tmp-promise, utf-8-validate, ws X-oss-byte/ganache#687

Open

WontonSam mentioned this pull request Sep 19, 2024

[Snyk] Upgrade: serve-handler, ws WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#539

Open

FaroukAmr mentioned this pull request Sep 19, 2024

[Snyk] Upgrade: , dotenv, express, express-rate-limit, express-session, helmet, moment, mongoose, nodemailer, pdfkit, ws FaroukAmr/Web-Application#1149

Open

neznaamey mentioned this pull request Sep 21, 2024

[Snyk] Upgrade: axios, discord-protos, electron-store, express, node-fetch, socket.io, ws neznaamey/DiscordBotClient#30

Open

FaroukAmr mentioned this pull request Sep 21, 2024

[Snyk] Upgrade: , dotenv, express, express-rate-limit, express-session, helmet, moment, mongoose, nodemailer, pdfkit, ws FaroukAmr/Web-Application#1151

Open

neznaamey mentioned this pull request Sep 22, 2024

[Snyk] Upgrade: axios, discord-protos, electron-store, express, node-fetch, socket.io, ws neznaamey/DiscordBotClient#31

Open

snyk-io bot mentioned this pull request Sep 23, 2024

[Snyk] Upgrade: commander, koa-compress, ws SherfeyInv/chii#2

Open

lirantal mentioned this pull request Sep 30, 2024

[Snyk] Upgrade ws from 8.8.1 to 8.18.0 lirantal/Dependency-Frost#34

Closed

oji3000 mentioned this pull request Oct 2, 2024

[Snyk] Upgrade ws from 8.6.0 to 8.18.0 rkitagawa-do/sample-websocket#1

Open

Danielhay016 mentioned this pull request Oct 6, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 Danielhay016/E-photo_App_development_course#14

Open

WontonSam mentioned this pull request Nov 2, 2024

[Snyk] Upgrade ws from 7.2.3 to 8.18.0 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#603

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix crash when the Upgrade header cannot be read #2231

Fix crash when the Upgrade header cannot be read #2231

lpinca commented Jun 15, 2024 •

edited

Loading

Fix crash when the Upgrade header cannot be read #2231

Fix crash when the Upgrade header cannot be read #2231

Conversation

lpinca commented Jun 15, 2024 • edited Loading

lpinca commented Jun 15, 2024 •

edited

Loading