CVE-2021-32640
published 2021-05-25CVE-2021-32640: ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
2.94%
85.4th percentile
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ws | < node-ws 7.4.2+~cs18.0.8-2 (bookworm) | node-ws 7.4.2+~cs18.0.8-2 (bookworm) |
| websockets | ws | — | — |
| ws_project | ws | >= 5.0.0 < 6.2.2 | 6.2.2 |
| ws_project | ws | >= 5.0.0 < 5.2.3 | 5.2.3 |
| ws_project | ws | >= 6.0.0 < 6.2.2 | 6.2.2 |
| ws_project | ws | >= 7.0.0 < 7.4.6 | 7.4.6 |
| ws_project | ws | >= 7.0.0 < 7.4.6 | 7.4.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server
vendor_redhat·2021-05-25·CVSS 5.3
CVE-2021-32640 [MEDIUM] CWE-400 nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server
nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
A flaw was fou
Debian
CVE-2021-32640: node-ws - ws is an open source WebSocket client and server library for Node.js. A speciall...
vendor_debian·2021·CVSS 5.3
CVE-2021-32640 [MEDIUM] CVE-2021-32640: node-ws - ws is an open source WebSocket client and server library for Node.js. A speciall...
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Scope: local
bookworm: resolved (fixed in 7.4.2+~cs18.0.8-2)
bullseye: resolved (fixed in 7.4.2+~cs18.0.8-2)
forky: resolved (fixed in 7.4.2+
OSV
ReDoS in Sec-Websocket-Protocol header
osv·2021-05-28
CVE-2021-32640 [MEDIUM] ReDoS in Sec-Websocket-Protocol header
ReDoS in Sec-Websocket-Protocol header
### Impact
A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.
### Proof of concept
```js
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}
```
### Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c147900202
GHSA
ReDoS in Sec-Websocket-Protocol header
ghsa·2021-05-28
CVE-2021-32640 [MEDIUM] CWE-345 ReDoS in Sec-Websocket-Protocol header
ReDoS in Sec-Websocket-Protocol header
### Impact
A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.
### Proof of concept
```js
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}
```
### Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c147900202
OSV
CVE-2021-32640: ws is an open source WebSocket client and server library for Node
osv·2021-05-25·CVSS 5.3
CVE-2021-32640 [MEDIUM] CVE-2021-32640: ws is an open source WebSocket client and server library for Node
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
No detection rules found.
No public exploits indexed.
HackerOne
Regular Expression Denial of Service vulnerability
hackerone·2022-04-12·CVSS 5.3
[MEDIUM] Regular Expression Denial of Service vulnerability
Regular Expression Denial of Service vulnerability
## Summary:
The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file [RealtimeGQLSubscriptionAsync.js](https://www.redditstatic.com/desktop2x/RealtimeGQLSubscriptionAsync.226119a9ae841bb563eb.js) I came across the node_module subscriptions-transport-ws (See Screenshot 1). The search result of the [subscriptions-transport-ws package](https://www.npmjs.com/package/subscriptions-transport-ws) on npmjs.com displayed a large deprecation warning at the top of the page (See Screenshot 2) so I decided to research further. The read-me file within the package [github repository](https://github.com/apollographql/subscriptions-transport-ws) states that the package has been largely u
Bugzilla
CVE-2021-32640 nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server
bugzilla·2021-05-27·CVSS 5.3
CVE-2021-32640 [MEDIUM] CVE-2021-32640 nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server
CVE-2021-32640 nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ffhttps://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210706-0005/https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ffhttps://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210706-0005/
2021-05-25
Published