Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update 7.2.3 to 7.4.6 #1634

Closed
wants to merge 1 commit into from
Closed

Conversation

fredriksvantes
Copy link

ws 7.2.3 is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e).

ws 7.2.3 is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e).
@ricmoo ricmoo added the on-deck This Enhancement or Bug is currently being worked on. label May 31, 2021
@ricmoo ricmoo added the fixed/complete This Bug is fixed or Enhancement is complete and published. label Jun 1, 2021
@ricmoo
Copy link
Member

ricmoo commented Jun 1, 2021

Fixed in 5.3.0.

Thanks! :)

@ricmoo ricmoo closed this Jun 1, 2021
fredriksvantes added a commit to fredriksvantes/prysm-web-ui that referenced this pull request Jun 1, 2021
ethers.js before 5.3.0 is using ws 7.2.3. This version of ws is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. ethers.js 5.3.0 has been updated to use a version of ws that is not vulnerable to this.

ethers-io/ethers.js#1634
websockets/ws@00c425e
pull bot pushed a commit to shapeshift/ethers.js that referenced this pull request Jun 4, 2021
pull bot pushed a commit to shapeshift/ethers.js that referenced this pull request Jun 4, 2021
@ricmoo ricmoo removed the on-deck This Enhancement or Bug is currently being worked on. label Jul 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fixed/complete This Bug is fixed or Enhancement is complete and published.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants