CVE-2016-10542
published 2018-05-31CVE-2016-10542: ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly…
PriorityP351high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
7.54%
93.7th percentile
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ws | < node-ws 1.1.0+ds1.e6ddaae4-5 (bookworm) | node-ws 1.1.0+ds1.e6ddaae4-5 (bookworm) |
| hackerone | ws_node_module | — | — |
| ws_project | ws | <= 1.1.0 | — |
| ws_project | ws | >= 0 < 1.1.1 | 1.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for abnormally long or crafted Sec-WebSocket-Extensions header values in WebSocket upgrade requests targeting Node.js ws servers. ↗
- →Monitor for unexpected Node.js process crashes following receipt of oversized WebSocket payloads, which may indicate active DoS exploitation. ↗
- ·Vulnerable versions are ws 1.1.0 and earlier; systems running these versions are at risk of process crash via this DoS vector. ↗
- ·A Metasploit auxiliary module exists for this vulnerability (dos/http/ws_dos), lowering the bar for exploitation. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
DoS due to excessively large websocket message in ws
ghsa·2019-02-18
CVE-2016-10542 [HIGH] CWE-400 DoS due to excessively large websocket message in ws
DoS due to excessively large websocket message in ws
Affected versions of `ws` do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
## Recommendation
Update to version 1.1.1 or later.
Alternatively, set the `maxpayload` option for the `ws` server to a value smaller than 256MB.
OSV
DoS due to excessively large websocket message in ws
osv·2019-02-18
CVE-2016-10542 [HIGH] DoS due to excessively large websocket message in ws
DoS due to excessively large websocket message in ws
Affected versions of `ws` do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
## Recommendation
Update to version 1.1.1 or later.
Alternatively, set the `maxpayload` option for the `ws` server to a value smaller than 256MB.
OSV
CVE-2016-10542: ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node
osv·2018-05-31·CVSS 7.5
CVE-2016-10542 [HIGH] CVE-2016-10542: ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Debian
CVE-2016-10542: node-ws - ws is a "simple to use, blazing fast and thoroughly tested websocket client, ser...
vendor_debian·2016·CVSS 7.5
CVE-2016-10542 [HIGH] CVE-2016-10542: node-ws - ws is a "simple to use, blazing fast and thoroughly tested websocket client, ser...
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Scope: local
bookworm: resolved (fixed in 1.1.0+ds1.e6ddaae4-5)
bullseye: resolved (fixed in 1.1.0+ds1.e6ddaae4-5)
forky: resolved (fixed in 1.1.0+ds1.e6ddaae4-5)
sid: resolved (fixed in 1.1.0+ds1.e6ddaae4-5)
trixie: resolved (fixed in 1.1.0+ds1.e6ddaae4-5)
No detection rules found.
No writeups or analysis indexed.
2018-05-31
Published