Summary
A Deno program that opens a client WebSocket connection could be crashed by
the remote server. While handling the WebSocket handshake response, Deno parsed
the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in
a way that assumed their bytes were always printable ASCII. A response header
containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted
the entire Deno process.
Details
When establishing a client WebSocket connection, Deno read the
Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers from the
server's 101 Switching Protocols response and converted them to strings
without handling the failure case. HeaderValue::to_str() returns an error for
any value containing bytes outside the visible-ASCII range, so a header carrying
such bytes triggered an unrecoverable error during conversion.
Because the client initiates the outbound connection, the handshake response is
fully controlled by the server. A server that returns bytes such as 0xFF 0xFE
in either header could therefore crash any client that connected to it.
This is purely an availability issue. There is no information disclosure and no
memory-safety impact; the only effect is termination of the current process.
Impact
Remote denial of service. Any Deno application that establishes WebSocket
connections to untrusted or potentially-compromised endpoints could be
terminated by the remote peer. Exploitation requires the victim application to
initiate the outbound WebSocket connection. An attacker who controls the
WebSocket endpoint, or who can man-in-the-middle a plaintext ws:// connection,
could trigger the crash. The effect is confined to crashing the process that
opened the connection.
Patch
The issue is fixed in Deno 2.7.5. The header values are now parsed with
graceful fallbacks: values that cannot be represented as ASCII strings are
skipped instead of aborting the process. A regression test covers a server that
returns non-ASCII bytes in Sec-WebSocket-Protocol.
Users should upgrade to Deno 2.7.5 or later.
Workarounds
Until you can upgrade, only connect to trusted WebSocket endpoints and prefer
wss:// (TLS) over ws://, which prevents a network man-in-the-middle from
injecting malicious header bytes into the handshake response.
References
snoopysecurity Reporter
Summary
A Deno program that opens a client
WebSocketconnection could be crashed bythe remote server. While handling the WebSocket handshake response, Deno parsed
the
Sec-WebSocket-ProtocolandSec-WebSocket-Extensionsresponse headers ina way that assumed their bytes were always printable ASCII. A response header
containing non-visible-ASCII bytes (
0x80-0xFF) caused a panic that abortedthe entire Deno process.
Details
When establishing a client WebSocket connection, Deno read the
Sec-WebSocket-ProtocolandSec-WebSocket-Extensionsheaders from theserver's
101 Switching Protocolsresponse and converted them to stringswithout handling the failure case.
HeaderValue::to_str()returns an error forany value containing bytes outside the visible-ASCII range, so a header carrying
such bytes triggered an unrecoverable error during conversion.
Because the client initiates the outbound connection, the handshake response is
fully controlled by the server. A server that returns bytes such as
0xFF 0xFEin either header could therefore crash any client that connected to it.
This is purely an availability issue. There is no information disclosure and no
memory-safety impact; the only effect is termination of the current process.
Impact
Remote denial of service. Any Deno application that establishes WebSocket
connections to untrusted or potentially-compromised endpoints could be
terminated by the remote peer. Exploitation requires the victim application to
initiate the outbound WebSocket connection. An attacker who controls the
WebSocket endpoint, or who can man-in-the-middle a plaintext
ws://connection,could trigger the crash. The effect is confined to crashing the process that
opened the connection.
Patch
The issue is fixed in Deno
2.7.5. The header values are now parsed withgraceful fallbacks: values that cannot be represented as ASCII strings are
skipped instead of aborting the process. A regression test covers a server that
returns non-ASCII bytes in
Sec-WebSocket-Protocol.Users should upgrade to Deno
2.7.5or later.Workarounds
Until you can upgrade, only connect to trusted WebSocket endpoints and prefer
wss://(TLS) overws://, which prevents a network man-in-the-middle frominjecting malicious header bytes into the handshake response.
References