You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.
Running an npm audit on any typescript application which includes kurento-client results in the following vulnerability being reported:
ws <=1.1.0
Severity: high
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes. -
https://gist.github.com/c0nrad/e92005446c480707a74a,https://github.com/websockets/ws/releases/tag/1.0.1,https://nodesecurity.io/advisories/67
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
https://github.com/nodejs/node/issues/7388,https://nodesecurity.io/advisories/120
No fix available
node_modules/websocket-stream/node_modules/ws
websocket-stream 0.3.2 - 2.3.0
Depends on vulnerable versions of ws
node_modules/websocket-stream
reconnect-ws *
Depends on vulnerable versions of websocket-stream
node_modules/reconnect-ws
kurento-client *
Depends on vulnerable versions of reconnect-ws
node_modules/kurento-client
Context
We are using Kurento-client in our application to facilitate audio broadcast to a selected group of users. Our internal security policy requires us to address this issue.
This issue is also reported as #373, but this is IMHO incorrectly labelled as an Enhancement while it is a Security risk for any use of kurento-client.
This issue appears to continue to exist as the reconnect-ws package referenced by kurento-client hasn't seen any updates in a number of years.
How to reproduce?
npm install kurento-client
added 28 packages, and audited 29 packages in 9s
4 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
Hello @koendhondt! 👋 we're sorry you found a bug... so first of all, thank you very much for reporting it.
To know about progress, check in Triage. All issues are considered Backlog Candidates until work priorities align and the issue is selected for development. It will then become part of our official Backlog.
Prerequisites
These are MANDATORY, otherwise the issue will be automatically closed.
Issue description
Running an npm audit on any typescript application which includes kurento-client results in the following vulnerability being reported:
Context
We are using Kurento-client in our application to facilitate audio broadcast to a selected group of users. Our internal security policy requires us to address this issue.
This issue is also reported as #373, but this is IMHO incorrectly labelled as an Enhancement while it is a Security risk for any use of kurento-client.
This issue appears to continue to exist as the reconnect-ws package referenced by kurento-client hasn't seen any updates in a number of years.
How to reproduce?
Expected & current behavior
Expected: 0 vulnerabilities
Current: 4 high severity vulnerabilities:
About your Application Server
About end-user clients
The text was updated successfully, but these errors were encountered: