Critical ReDoS Vulnerability Patched in websocket-extensions Library (CVE-2020-7662)

A critical security flaw in a widely used WebSocket library has been patched, addressing a Regular Expression Denial of Service (ReDoS) vulnerability that could have allowed attackers to crash or degrade server performance. The vulnerability, tracked as CVE-2020-7662, was present in the `websocket-extensions` library, a core component for handling WebSocket connections in many Node.js applications. The flaw resided specifically in the parser for the `Sec-WebSocket-Extensions` header, where a maliciously crafted header could cause catastrophic CPU consumption, leading to service disruption.

The issue was reported by security researcher Robert McLaughlin and has been fixed in version 0.1.4 of the library, released on June 2, 2020. The patch removes the vulnerable regex pattern from the header parser. In a notable secondary change, the project's license was also switched from MIT to Apache 2.0 in the same release. The `websocket-extensions` library is a dependency for the popular `faye` WebSocket implementation and, by extension, countless downstream projects that rely on real-time communication features.

This patch is a mandatory update for any development or production system using `websocket-extensions` version 0.1.3 or earlier. The ReDoS vulnerability represents a significant availability risk, as it provides a low-complexity vector for denial-of-service attacks against applications using WebSockets. Developers and security teams must immediately audit their dependency trees to ensure the patched version is in use, as unpatched systems remain exposed to potential exploitation that could lead to service outages.