Critical ReDoS Vulnerability in 'ws' Node.js Library Forces Security Patch to 5.2.3

A critical Regular Expression Denial of Service (ReDoS) vulnerability has been patched in the widely used 'ws' Node.js WebSocket library. The flaw, tracked in the GitHub Security Advisory Database, allows a maliciously crafted `Sec-Websocket-Protocol` header to significantly degrade server performance, potentially leading to service disruption. This is not a remote code execution flaw, but a resource exhaustion attack that can cripple a server's ability to handle legitimate traffic by forcing it into expensive regex processing.

The vulnerability resides in how the library parses the `Sec-Websocket-Protocol` header. An attacker can send a header value containing a large number of spaces, exploiting an inefficient regular expression (`/ *, */`) used in the `trim().split()` operation. The proof of concept demonstrates that processing time scales dramatically with input length, turning a simple header into a CPU-intensive task. The 'ws' library is a fundamental dependency for real-time communication in countless Node.js applications, making this a high-impact, supply-chain security issue.

The maintainers have released version 5.2.3 to address this flaw. All versions prior to 5.2.3 are affected. This incident underscores the persistent risk of ReDoS vulnerabilities in core networking libraries and the cascading effect of a single dependency patch. Development and security teams must immediately audit their projects for the vulnerable 'ws' version and prioritize this update to mitigate denial-of-service risks against their WebSocket endpoints.