ws 5.2.3 Security Patch: Critical ReDoS Vulnerability in Sec-WebSocket-Protocol Header

A critical Regular Expression Denial of Service (ReDoS) vulnerability has been patched in the popular `ws` WebSocket library for Node.js. The flaw, tracked in the GitHub Security Advisory Database as GHSA-6fc8-4gx4-v693, allows a malicious client to significantly degrade server performance by sending a specially crafted `Sec-WebSocket-Protocol` header. This attack vector enables a single request to consume excessive CPU time, potentially leading to service disruption for applications using vulnerable versions of the library.

The vulnerability resides in the header parsing logic. Attackers can exploit a poorly optimized regular expression used to split the header value by injecting a string with a large number of spaces. Proof-of-concept code demonstrates that processing time grows exponentially with the length of the malicious input—from 1000 to 32000 characters—causing severe server slowdowns. The issue affects all `ws` versions prior to 5.2.3. The maintainers have released version 5.2.3 with a fix that addresses the inefficient regex, mitigating this denial-of-service risk.

This security update is mandatory for any production service relying on the `ws` library for real-time communication, including chat applications, collaborative tools, and financial data streams. The silent nature of a ReDoS attack makes it a potent threat for resource exhaustion, as it can be triggered without crashing the service, instead gradually degrading performance until it becomes unusable. Developers must immediately upgrade their dependencies to `[email protected]` to close this vulnerability and protect their infrastructure from this low-effort, high-impact attack.