ws affected by a DoS when handling a request with many HTTP headers

[NormandoHall]

GHSA-3h5v-q93c-6h6q

[darrachequesne]

We have released some new versions which include the ws fix:

• engine.io@6.5.5 with ws@~8.17.1 (socket.io@4)
• engine.io@3.6.2 with ws@~7.5.10 (socket.io@2)
• engine.io-client@6.5.4 with ws@~8.17.1 (socket.io-client@4)
• engine.io-client@3.5.4 with ws@~7.5.10 (socket.io-client@2)

Thanks for the heads-up!

[miszczu-drako]

how about socket.io-adapter? is it maintained by your team also?

When I run npm audit I still see affected ws version
npm audit --audit-level=high --package-lock-only --omit=dev --omit=optional

npm audit report

ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - GHSA-3h5v-q93c-6h6q
fix available via npm audit fix --force
Will install socket.io@4.5.4, which is a breaking change
node_modules/socket.io-adapter/node_modules/ws
socket.io-adapter >=2.5.2
Depends on vulnerable versions of ws
node_modules/socket.io-adapter
socket.io >=4.6.0-alpha1
Depends on vulnerable versions of socket.io-adapter
node_modules/socket.io

3 high severity vulnerabilities

[miszczu-drako]

Just in case I have raised #5051