Skip to content

[GHSA-5v72-xg48-5rpm] Denial of Service in ws#8024

Merged
advisory-database[bot] merged 1 commit into
RainSignal/advisory-improvement-8024from
RainSignal-GHSA-5v72-xg48-5rpm
Jul 17, 2026
Merged

[GHSA-5v72-xg48-5rpm] Denial of Service in ws#8024
advisory-database[bot] merged 1 commit into
RainSignal/advisory-improvement-8024from
RainSignal-GHSA-5v72-xg48-5rpm

Conversation

@RainSignal

Copy link
Copy Markdown

Updates

  • Affected products

Comments

Reason for change

The current advisory states that versions >= 0.2.6, < 1.1.5 are affected. However, code inspection suggests that the vulnerability was introduced later.

The vulnerable code resides in lib/Extensions.js, specifically in the parse() function:

var paramsList = extensions[token] = extensions[token] || [];
...
(parsedParams[key] = parsedParams[key] || []).push(value);

which stores extension names and parameter names in ordinary JavaScript objects without excluding inherited properties from Object.prototype.

Relevant source:

The same vulnerable logic is also present in later branches and is fixed by:

The fixes introduce explicit hasOwnProperty() checks:

if (extensions[token] === undefined) {
  extensions[token] = [];
} else if (!extensions.hasOwnProperty(token)) {
  return;
}

and

if (parsedParams[key] === undefined) {
  parsedParams[key] = [value];
} else if (parsedParams.hasOwnProperty(key)) {
  parsedParams[key].push(value);
}

which prevent names inherited from Object.prototype (such as constructor, toString, and hasOwnProperty) from being interpreted as extension or parameter storage.

To determine the introduction version, I inspected releases prior to 0.6 and found that they do not contain lib/Extensions.js, and therefore do not contain the vulnerable parsing logic.

I reproduced the issue on v0.6 using:

Sec-WebSocket-Extensions: constructor

which causes parse() to access inherited properties and eventually raises:

TypeError: paramsList.push is not a function

resulting in a denial of service.

Based on the source code history and reproduction results, the affected range should begin at 0.6.0, not 0.2.6.

Suggested affected range:

>= 0.6.0, < 1.1.5
>= 2.0.0, < 3.3.1

Copilot stopped work on behalf of RainSignal due to an error June 12, 2026 17:52
@github-actions
github-actions Bot changed the base branch from main to RainSignal/advisory-improvement-8024 June 12, 2026 17:54
@github-actions

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jul 17, 2026
@advisory-database
advisory-database Bot merged commit 92a48e8 into RainSignal/advisory-improvement-8024 Jul 17, 2026
4 checks passed
@advisory-database

Copy link
Copy Markdown
Contributor

Hi @RainSignal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database
advisory-database Bot deleted the RainSignal-GHSA-5v72-xg48-5rpm branch July 17, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant