A specially crafted value of the Sec-WebSocket-Extensions header used by Object.prototype property names as extension or parameter names could be used to make a ws server crash. Upstream patch: https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407 References: https://snyk.io/vuln/npm:ws:20171108
Created nodejs-ws tracking bugs for this issue: Affects: epel-all [bug 1516541] Affects: fedora-all [bug 1516540]