The dependency ws is vulnerable in versions >= 0.2.6, < 3.3.1.
Patched version: 3.3.1.
Affected version of ws are vulnerable to: "a specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash."
The dependency
ws
is vulnerable in versions >= 0.2.6, < 3.3.1. Patched version: 3.3.1.Affected version of ws are vulnerable to: "a specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash."
Fixing commit: https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
How to reproduce?
npm install --save discord.io
package-lock.json
)