nhooyr.io/websocket - PRISMA-2021-0118
pgr-josh-wells opened this issue · comments
Josh Wells commented
https://security.snyk.io/vuln/SNYK-GOLANG-NHOOYRIOWEBSOCKET-1244972
https://github.com/cilium/hubble-ui/blob/master/backend/go.mod#L62
Fixed in v1.8.7
websocket package versions before v1.8.7 are vulnerable to Denial of Service (DoS). A double-channel close panic was possible if a peer sent back multiple pongs for every ping. If the second ping arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and so panic would ensue.