Impact (per CVE): A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
Details
A vulnerability was detected in ws package, currently used in lighthouse@11.x and puppeteer-core@21.x packages (screenshots below). The dependency tree has resolved the vulnerability in lighthouse@12.x.
Summary
@lhci/cli
has a High severity vulnerability reported fromnpm audit
: https://github.com/advisories/GHSA-3h5v-q93c-6h6qThe patch appears to have been merged into
@lhci/cli
, just yet to be release. Cutting a new release should address the CVE by updating tolighthouse@12.x
: https://github.com/GoogleChrome/lighthouse-ci/blob/8fe7e8db5c1d5b7c38758adcd42572e74288265e/packages/cli/package.json#L24Impact (per CVE): A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
Details
A vulnerability was detected in
![Screenshot 2024-06-18 at 3 07 03 PM](https://github.com/GoogleChrome/lighthouse-ci/assets/3472134/1434e970-9730-4357-bbb2-9637a3df394c)
ws
package, currently used inlighthouse@11.x
andpuppeteer-core@21.x
packages (screenshots below). The dependency tree has resolved the vulnerability inlighthouse@12.x
.PoC
Excute this command in this package:![Screenshot 2024-06-18 at 3 32 31 PM](https://github.com/GoogleChrome/lighthouse-ci/assets/3472134/db65f1c4-7574-4f00-9c75-b0630a32ea00)
npm audit