Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in ws (WebSocket) package #130

Closed
jtorreggiani opened this issue Nov 8, 2017 · 3 comments
Closed

Security vulnerability in ws (WebSocket) package #130

jtorreggiani opened this issue Nov 8, 2017 · 3 comments
Labels
priority: 2 (urgent) semver: Patch severity: 1 (security)

Comments

@jtorreggiani
Copy link

Issue description

There seems to be a security vulnerability in the ws package. The issue was discovered while running the Node Security Platform CLI utility as part of a continuous integration build.

yarn run v1.3.2
$ ./node_modules/.bin/nsp check
(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Denial of Service                                                                                                                                                                 │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ ws                                                                                                                                                                                │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS          │ 7.5 (High)                                                                                                                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 2.3.1                                                                                                                                                                             │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <3.3.1                                                                                                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >= 3.3.1                                                                                                                                                                          │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ connect-js@1.0.0 > webpack-bundle-analyzer@2.9.0 > ws@2.3.1                                                                                                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/550                                                                                                                                            │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Technical info

  • Webpack Bundle Analyzer version: 2.3.1
  • Webpack version: 1.14.0
  • Node.js version: 8.9.1
  • npm/yarn version: 1.3.2
  • OS: macOS Sierra / Ubuntu

Debug info

How do you use this module? As CLI utility or as plugin?
CLI utility

If CLI, what command was used? (e.g. webpack-bundle-analyzer -O path/to/stats.json)

If plugin, what options were provided? (e.g. new BundleAnalyzerPlugin({ analyzerMode: 'disabled', generateStatsFile: true }))

What other Webpack plugins were used?
None.

It would be nice to also attach webpack stats file.
It can be generated using these options:

new BundleAnalyzerPlugin({
  analyzerMode: 'disabled',
  generateStatsFile: true,
  // Excludes module sources from stats file so there won't be any sensitive data
  statsOptions: { source: false }
})`

stats.json will be created in Webpack bundle output directory.
@valscion
Copy link
Member

valscion commented Nov 9, 2017

Thank you for reporting this issue!

If I looked at the vulnerability correctly, it was about there being a Denial-of-Service bug in ws. As webpack-bundle-analyzer is a development-only tool, this isn't as severe as it could be.

Nevertheless, I'll push an update out.

@valscion valscion mentioned this issue Nov 9, 2017
Merged
@valscion
Copy link
Member

valscion commented Nov 9, 2017

Fix for this has been published in v2.9.1

@jtorreggiani
Copy link
Author

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: 2 (urgent) semver: Patch severity: 1 (security)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valscion @jtorreggiani