Releases: socketio/engine.io
6.2.1
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
Please upgrade as soon as possible.
Bug Fixes
3.6.1
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
Please upgrade as soon as possible.
Bug Fixes
- catch errors when destroying invalid upgrades (83c4071)
3.6.0
Bug Fixes
- add extension in the package.json main entry (#608) (3ad0567)
- do not reset the ping timer after upgrade (1f5d469)
Features
- decrease the default value of maxHttpBufferSize (58e274c)
This change reduces the default value from 100 mb to a more sane 1 mb.
This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.
See also: GHSA-j4f2-536g-r55m
- increase the default value of pingTimeout (f55a79a)
Links
- Diff: 3.5.0...3.6.0
- Client release: -
- ws version: ~7.4.2
6.2.0
Features
- add the "maxPayload" field in the handshake details (088dcb4)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:
0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}
Links
- Diff: 6.1.3...6.2.0
- Client release: 6.2.0
- ws version: ~8.2.3
6.1.3
6.1.2
6.1.1
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0
, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
Bug Fixes
- properly handle invalid data sent by a malicious websocket client (c0e194d)
Links
- Diff: 6.1.0...6.1.1
- Client release: -
- ws version: ~8.2.3
5.2.1
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0
, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
Bug Fixes
- properly handle invalid data sent by a malicious websocket client (66f889f)
Links
- Diff: 5.2.0...5.2.1
- Client release: -
- ws version: ~7.4.2
4.1.2
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0
, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
Bug Fixes
- properly handle invalid data sent by a malicious websocket client (a70800d)
Links
- Diff: 4.1.1...4.1.2
- Client release: -
- ws version: ~7.4.2
6.1.0
This release introduces a new engine implementation based on uWebSockets.js, a high performance HTTP/WebSocket server which can be used as an alternative to the default Node.js HTTP server.
Usage:
const { App } = require("uWebSockets.js");
const { uServer } = require("engine.io");
const app = new App();
const server = new uServer();
server.attach(app);
app.listen(3000, () => {});
Feedback is welcome! 👼
Bug Fixes
- fix payload encoding for v3 clients (ed50fc3)
Features
- add an implementation based on uWebSockets.js (271e2df)
Performance Improvements
Links
- Diff: 6.0.0...6.1.0
- Client release: 6.1.0
- ws version: ~8.2.3