Features

Introduced the maxBufferedChunks and maxFragments options (2b2abd4).

Bug fixes

Fixed a remote memory exhaustion DoS vulnerability (2b2abd4).

A high volume of tiny fragments and data chunks could be sent by a peer, using
modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the
maxPayload option if possible.

Bug fixes

Backported 2b2abd4 to the 7.x release line (e14c458).

Bug fixes

Backported 2b2abd4 to the 6.x release line (a76e211).

Bug fixes

Backported 2b2abd4 to the 5.x release line (bd8756a).

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close()
(c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Features

Added exports for the PerMessageDeflate class and utilities for the
Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

Features

Added the closeTimeout option (#2308).

Bug fixes

Handled a forthcoming breaking change in Node.js core (1998485).

Bug fixes

Fixed a spec violation where the Sec-WebSocket-Version header was not added
to the HTTP response if the client requested version was either invalid or
unacceptable (#2291).

Bug fixes

Fixed an issue that, during message decompression when the maximum size was
exceeded, led to the emission of an inaccurate error and closure of the
connection with an improper close code (#2285).

Bug fixes

The length of the UNIX domain socket paths in the tests has been shortened to
make them work when run via CITGM (021f7b8).

Uh oh!

Releases: websockets/ws

8.21.0

Features

Bug fixes

Uh oh!

7.5.11

Bug fixes

Uh oh!

6.2.4

Bug fixes

Uh oh!

5.2.5

Bug fixes

Uh oh!

8.20.1

Bug fixes

Uh oh!

8.20.0

Features

Uh oh!

8.19.0

Features

Bug fixes

Uh oh!

8.18.3

Bug fixes

Uh oh!

8.18.2

Bug fixes

Uh oh!

8.18.1

Bug fixes

Uh oh!