Critical ReDoS Vulnerability Patched in websocket-extensions 0.1.4 (CVE-2020-7662)

A critical security flaw in the widely used `websocket-extensions` library has been patched, addressing a Regular Expression Denial of Service (ReDoS) vulnerability. The issue, tracked as CVE-2020-7662, was present in the library's header parser and could have allowed an attacker to cause a denial of service by sending a maliciously crafted `Sec-WebSocket-Extensions` header. The vulnerability was reported by researcher Robert McLaughlin, prompting the immediate release of version 0.1.4.

The patch, contained in commit `3dad4ad`, specifically removes the ReDoS vulnerability from the parser. This update is a direct dependency bump for countless projects that rely on this library for WebSocket functionality, a core component of real-time web applications. The changelog also notes a significant licensing change from MIT to Apache 2.0, which may have downstream implications for projects with strict licensing requirements.

The silent, automated nature of this update—visible only as a dependency bump in project logs—masks a significant security event. While the patch is now available, the risk remains for any system that has not updated from version 0.1.3 or earlier. This incident underscores the persistent threat of supply chain attacks and the critical importance of monitoring even minor dependency updates for security fixes.