[GHSA-5v72-xg48-5rpm] Denial of Service in ws#8024
Merged
advisory-database[bot] merged 1 commit intoJul 17, 2026
Merged
Conversation
Copilot stopped work on behalf of
RainSignal due to an error
June 12, 2026 17:52
github-actions
Bot
changed the base branch from
main
to
RainSignal/advisory-improvement-8024
June 12, 2026 17:54
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
advisory-database
Bot
merged commit Jul 17, 2026
92a48e8
into
RainSignal/advisory-improvement-8024
4 checks passed
Contributor
|
Hi @RainSignal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
Comments
Reason for change
The current advisory states that versions
>= 0.2.6, < 1.1.5are affected. However, code inspection suggests that the vulnerability was introduced later.The vulnerable code resides in
lib/Extensions.js, specifically in theparse()function:which stores extension names and parameter names in ordinary JavaScript objects without excluding inherited properties from
Object.prototype.Relevant source:
https://github.com/websockets/ws/blob/0.6/lib/Extensions.js
The same vulnerable logic is also present in later branches and is fixed by:
v1.x branch:
websockets/ws@f8fdcd4
master / v3.x branch:
websockets/ws@c4fe466
The fixes introduce explicit
hasOwnProperty()checks:and
which prevent names inherited from
Object.prototype(such asconstructor,toString, andhasOwnProperty) from being interpreted as extension or parameter storage.To determine the introduction version, I inspected releases prior to 0.6 and found that they do not contain
lib/Extensions.js, and therefore do not contain the vulnerable parsing logic.I reproduced the issue on v0.6 using:
which causes
parse()to access inherited properties and eventually raises:resulting in a denial of service.
Based on the source code history and reproduction results, the affected range should begin at 0.6.0, not 0.2.6.
Suggested affected range: