OCPBUGS-91731: Fix CVE-2026-45736 ws uninitialized memory disclosure via websocket.close()#16708
OCPBUGS-91731: Fix CVE-2026-45736 ws uninitialized memory disclosure via websocket.close()#16708jrangelramos wants to merge 1 commit into
Conversation
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-91731, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jrangelramos The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
Next review available in: 24 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
WalkthroughThis change updates frontend/package.json to add two ws package resolution overrides, forcing dependency resolvers to use ws version >=8.20.1 for both ws@^8.18.0 and ws@^8.18.2 ranges within the existing resolutions block. ChangesDependency Resolution Update
Estimated code review effort: 1 (Trivial) | ~2 minutes Related PRs: None identified. Suggested labels: dependencies Suggested reviewers: None identified. 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-91731, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@frontend/package.json`:
- Around line 340-341: The package resolution entries for ws are using an
open-ended semver range, which breaks the intended security pinning. Update the
ws resolutions in package.json to an exact patched version instead of
">=8.20.1", and keep the two ws selectors aligned; use the package.json
resolution keys (ws@^8.18.0 and ws@^8.18.2) to locate and replace the values
with a fixed release.
- Around line 340-341: The ws resolution entries in package.json are too loose
because they allow future versions beyond the patched release. Update the
existing ws override selectors to pin both ws@^8.18.0 and ws@^8.18.2 to the
exact patched version used in the repo, and keep the change confined to the
package.json resolutions/overrides block so installs stay deterministic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: a9c24c6e-1c28-42d1-b9e0-9f67055bb349
⛔ Files ignored due to path filters (1)
frontend/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
frontend/package.json
|
@jrangelramos: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
…via websocket.close() Add scoped yarn resolutions to bump ws from 8.20.0 to >=8.20.1 for all 8.x consumers. The ws package prior to 8.20.1 is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument to websocket.close(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
43a97cd to
e5b26c9
Compare
Analysis / Root cause
ws(WebSocket client and server for Node.js) versions prior to 8.20.1 are vulnerable to uninitialized memory disclosure when aTypedArrayis passed as thereasonargument towebsocket.close()(CVE-2026-45736).The package is a transitive dependency in the console frontend at version 8.20.0, pulled in by
@kubernetes/client-node,jsdom,puppeteer-core, andwebpack-dev-server.Solution description
Add scoped yarn resolutions for
ws@^8.18.0andws@^8.18.2to>=8.20.1infrontend/package.json. This bumps only the 8.x consumers to the patched version while leaving 5.x (subscriptions-transport-ws) and 7.x (webpack-bundle-analyzer) consumers on their respective major versions.Screenshots / screen recording
N/A — dependency version bump only, no visual changes.
Test setup
No special setup required.
Test cases
yarn installcompletes without errorswebpack --mode=development) succeeds (986 assets, 20219 modules)ws@5.xandws@7.xconsumers are not affected by the resolutionBrowser conformance
N/A — no runtime behavior changes beyond the security fix.
Additional info
Summary by CodeRabbit