Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close()
  (c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Features

• Added exports for the PerMessageDeflate class and utilities for the
  Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (1998485).

Bug fixes

• Fixed a spec violation where the Sec-WebSocket-Version header was not added
  to the HTTP response if the client requested version was either invalid or
  unacceptable (#2291).

Bug fixes

• Fixed an issue that, during message decompression when the maximum size was
  exceeded, led to the emission of an inaccurate error and closure of the
  connection with an improper close code (#2285).

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to
  make them work when run via CITGM (021f7b8).

Features

• Added support for Blob (#2229).

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

The vulnerability was reported by Ryan LaPointe in #2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the
   --max-http-header-size=size and/or the maxHeaderSize options so
   that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

Bug fixes

• Backported e55e510 to the 7.x release line (22c2876).

Bug fixes

• Backported e55e510 to the 6.x release line (eeb76d3).