Skip to content

v2.0.10

Latest

Choose a tag to compare

@yusukebe yusukebe released this 15 Jul 23:20

Security fixes

This release includes a fix for the following security issue:

Unauthenticated memory-leak DoS via aborted WebSocket handshake

Affects: upgradeWebSocket. A WebSocket upgrade request with a missing or malformed Sec-WebSocket-Key header leaked the request's IncomingMessage and left a promise pending, even though no connection was established. Since the route is reachable pre-handshake without authentication, an attacker could flood it to gradually exhaust memory. GHSA-9mqv-5hh9-4cgg


Users of upgradeWebSocket are encouraged to upgrade to this version.