HomePhorge
DoS attack against Aphlict
Notification server at risk

Aphlict, our notification server, is implemented in Node using the ws library; ws in older versions is vulnerable to a DoS attack. The fix for ws was released in June 2024, version 7.5.10.
More details here: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Who is Vulnerable

  • Any install that is older than June 2024.
  • Any install that is older than rPde2b53638299 (May 1st, 2025), but didn't already run npm audit fix.
We released a fix on master, but not yet in stable. New installs that use stable still need to run npm audit fix.
The standard upgrade procedure does not include upgrading dependencies, so all installs that were first created before the fix was applied should follow the steps below. There's also no risk in running these steps on an install that already have a good version of ws.

Mitigation

You'll need to run npm audit fix to get the latest versions.
See also https://we.phorge.it/book/phorge/article/notifications/ for full setup instructions on Aphlict.

Depending on your setup, some of these commands will likely require an appropriate sudo prefix.

Run npm audit

phorge/ $ cd support/aphlict/server/
phorge/support/aphlict/server/ $ npm audit fix

This will update the packages.json and packages-lock.json files, and will install 7.5.10 version of ws.
npm will report something like:

+ ws@7.5.10
updated 1 package in 0.221s
fixed 1 of 1 vulnerability in 1 scanned packa

Restart Aphlict

phorge/ $ bin/aphlict restart

Revert changes to packages.json

To limit conflicts when updating Phorge, revert the local changes made by npm:

phorge/ $ git restore support/aphlict/server/package.json*

Once the restart is complete, this is safe because the good version has already been installed.

Fix and More Details

We've released the fix from D25967 in master (rPde2b53638299), and will release it probably in 2 weeks in stable.
The issue is tracked at T16037.
We'll update this blog post as needed.

Written by avivey on Thu, May 1, 08:04.
User
Projects
Subscribers
valerio.bozzolan, Cigaryno
Tokens
"Like" token, awarded by Cigaryno.

Event Timeline

Thanks for this! Is this any related to the security vulnerability warning I got with npm install last month, which prompted me to run npm audit fix?

In J6#66, @Cigaryno wrote:

Thanks for this! Is this any related to the security vulnerability warning I got with npm install last month, which prompted me to run npm audit fix?

ws is literally our only npm dependency, so I'm gonna guess that yes, it's the same issue :)

Thanks. We can update the "We didn't yet release a fix on Phorge" and the "We'll release" since D25967 it's now fixed in master 👍