Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-10542Uncontrolled Resource Consumption in Node-ws

CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation6 documents5 sources
Severity
7.5HIGHNVD
EPSS
66.1%
top 1.48%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Debian Node-wsWS Project WSHackerone WS Node Module
Timeline
PublishedMay 31
Latest updateFeb 18

Description

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/node-ws< node-ws 1.1.0+ds1.e6ddaae4-5 (bookworm)
CVEListV5hackerone/ws_node_module<=1.1.0
npmws_project/ws< 1.1.1
NVDws_project/ws1.1.0

🔴Vulnerability Details

3
GHSA
DoS due to excessively large websocket message in ws2019-02-18
OSV
DoS due to excessively large websocket message in ws2019-02-18
OSV
CVE-2016-10542: ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node2018-05-31

💥Exploits & PoCs

1
Metasploit
ws - Denial of Service

📋Vendor Advisories

1
Debian
CVE-2016-10542: node-ws - ws is a "simple to use, blazing fast and thoroughly tested websocket client, ser...2016