WS-2016-0031 (High) detected in ws-0.4.32.tgz

[mend-bolt-for-github[bot]]

WS-2016-0031 - High Severity Vulnerability

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Path to dependency file: /acpd/src/dashboard/www/m_files/leaflet-markercluster-1.0.5/package.json

Path to vulnerable library: /tmp/git/acpd/src/dashboard/www/m_files/leaflet-markercluster-1.0.5/node_modules/ws/package.json

Dependency Hierarchy: - karma-0.8.8.tgz (Root Library) - socket.io-0.9.19.tgz - socket.io-client-0.9.16.tgz - :x: **ws-0.4.32.tgz** (Vulnerable Library)

Found in HEAD commit: 338396b2586325ff289ce9fee376f9a4c2cf6b88

Vulnerability Details

DoS in ws module due to excessively large websocket message.

Publish Date: 2016-06-24

URL: WS-2016-0031

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/120

Release Date: 2016-06-24

Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.

---

Step up your Open Source Security Game with WhiteSource here

[issue-label-bot[bot]]

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.96. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.