Aphlict, our notification server, is implemented in Node using the ws library; ws in older versions is vulnerable to a DoS attack. The fix for ws was released in June 2024, version 7.5.10.
More details here: https://github.com/advisories/GHSA-3h5v-q93c-6h6q
Who is Vulnerable
- Any install that is older than June 2024.
- Any install that is older than rPde2b53638299 (May 1st, 2025), but didn't already run npm audit fix.
Mitigation
You'll need to run npm audit fix to get the latest versions.
See also https://we.phorge.it/book/phorge/article/notifications/ for full setup instructions on Aphlict.
Run npm audit
phorge/ $ cd support/aphlict/server/ phorge/support/aphlict/server/ $ npm audit fix
This will update the packages.json and packages-lock.json files, and will install 7.5.10 version of ws.
npm will report something like:
+ ws@7.5.10 updated 1 package in 0.221s fixed 1 of 1 vulnerability in 1 scanned packa
Restart Aphlict
phorge/ $ bin/aphlict restart
Revert changes to packages.json
To limit conflicts when updating Phorge, revert the local changes made by npm:
phorge/ $ git restore support/aphlict/server/package.json*
Once the restart is complete, this is safe because the good version has already been installed.
Fix and More Details
We've released the fix from D25967 in master (rPde2b53638299), and will release it probably in 2 weeks in stable.
The issue is tracked at T16037.
We'll update this blog post as needed.
- Projects
- Subscribers
- valerio.bozzolan, Cigaryno
- Tokens
Event Timeline
Thanks for this! Is this any related to the security vulnerability warning I got with npm install last month, which prompted me to run npm audit fix?
ws is literally our only npm dependency, so I'm gonna guess that yes, it's the same issue :)
Thanks. We can update the "We didn't yet release a fix on Phorge" and the "We'll release" since D25967 it's now fixed in master 👍