You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
The text was updated successfully, but these errors were encountered:
Hi, @gamboaa! Thanks so much for submitting this notice! 😄
It looks like we had a PR from a while ago to update the ws base version to ws@7.5.3 in the @slack/rtm-api package, but it looks like it was never released. I am going to re-verify with my team to make sure this is good to release, and if so, I'll release a version with the updated ws base version! 🙌
@gamboaa thanks again for flagging this! A new @slack/rtm-api version, v6.1.0, has been released that addresses this security update. You can view the release notes here!
Since this is resolved, I will be closing this issue out, but if anything else comes up then please feel free to file another issue! 🎉
(Describe your issue and goal here)
Packages:
Select all that apply:
@slack/web-api
@slack/rtm-api
@slack/webhooks
@slack/oauth
@slack/socket-mode
@slack/types
Requirements
The direct dependency on ws@5.2.3 introduces a vulnerability
CVE-2021-32640
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the
Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the--max-http-header-size=size
and/or themaxHeaderSize
options.The text was updated successfully, but these errors were encountered: