Skip to content
Launch GitLab Knowledge Graph

[SECURITY] Fix WebSocket DoS vulnerability (CVE-2024-99999)

johnrequested to merge
security/fix-websocket-cve-2024-99999 into main

Security Fix

This MR addresses a critical security vulnerability in the ws library.

Vulnerability Details

  • CVE ID: CVE-2024-99999
  • Severity: HIGH (CVSS 7.5)
  • Attack Vector: Network-based DoS through malformed WebSocket frames
  • User Interaction: None required

Changes

  • Upgraded ws library from 7.5.98.18.0
  • Added comprehensive CI/CD pipeline with:
    • Dependency scanning
    • Unit tests with coverage
    • Build verification
    • Automated deployment to staging

Testing

  • All existing WebSocket integration tests pass
  • npm audit shows 0 high/critical vulnerabilities
  • CI pipeline passes all security scans

Security Impact

Without this fix, attackers could crash the WebSocket server by sending specially crafted frames, causing service disruption for all users.

Deployment

This fix should be deployed immediately to production after approval.

Closes #1 (closed)

cc: @dmitry @michael_usanchenko

Merge request reports