Security Vulnerability Issue

[iadibar]

Im using websocket-driver that dependent on sockjs-node. sockjs-node dependent on
faye-websocket, "websocket-driver": ">=0.5.1" (inside package-lock.json).
when I scan my app (with Veracode sca) I getting Uninitialized Buffer Allocation from websocket-driver version 0.6.5,
They suggest updating websocket-driver to version 0.7.1, so that it is not vulnerable version, but I can not do it in my code because the dependencies are inside your code so I'll be happy if you can update your websocket-driver version to 0.7.1 version (inside package-lock.json -> faye-websocket -> websocket-driver version to 0.7.1
dependency).

The security issue :
Uninitialized Buffer Allocation
websocker-driver is vulnerable to uninitialized buffer allocation attacks. The library contains an uninitialized memory allocation when handling a large number, which can allow a malicious user to gain access to sensitive information or crash the application.

screen shout from Veracode sca security scan:
you can see that they recommend to update websocket-driver version to fix this issue

[felipefreitas]

There's a vulnerability with version faye-websocket@0.10.0 as one of dependency of this package. After a security scan by Sonar dependency check, it's reported a vulnerability from package faye-websocket@0.10.0 rated as Using Components with Known Vulnerabilities (https://cwe.mitre.org/data/definitions/937.html).

Solution:
An update to 0.11.3 version should solve this problem.

[brycekahle]

This has been fixed since 0efb3c9 and version 0.3.21