Skip to content
Launch GitLab Knowledge Graph

URGENT: WebSocket library vulnerable to DoS attacks (CVE-2024-99999)

Critical Security Issue

CVE Details

  • CVE ID: CVE-2024-99999
  • Severity: HIGH (CVSS 7.8)
  • Package: ws@8.13.0
  • Type: Denial of Service (DoS)

Vulnerability Description

The WebSocket library (ws) has a vulnerability that allows attackers to cause memory exhaustion through malformed frames, leading to application crash.

Exploitation

Attacker can send specially crafted WebSocket messages:

// Malicious payload
ws.send(Buffer.alloc(10000000)); // 10MB payload
// Repeated 100x causes OOM crash

Impact

  • Production AI Chat: ~10,000 concurrent WebSocket connections
  • Potential Impact: Complete service outage
  • Data Loss Risk: In-flight streaming messages lost
  • User Impact: All AI chat sessions disconnected

Detection

  • Found during CI security scan
  • Snyk flagged this on 2025-10-09
  • Production monitoring shows suspicious memory spikes

Remediation Steps

  1. Upgrade ws to 8.17.0+ immediately
  2. Add message size limits (max 1MB)
  3. Implement rate limiting per connection
  4. Add memory monitoring alerts
  5. Deploy with zero-downtime rolling update

Timeline

  • 2025-10-09 11:00: Vulnerability discovered
  • 2025-10-09 11:30: Hotfix branch created
  • 2025-10-09 15:00: Target deployment

Dependencies

Blocked by ui-component-library#6 (must upgrade lodash first)

cc: @dmitry @michael_usanchenko