cbcvebase.
CVE-2021-32640
published 2021-05-25

CVE-2021-32640: ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to…

PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
2.94%
85.4th percentile
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiannode-ws< node-ws 7.4.2+~cs18.0.8-2 (bookworm)node-ws 7.4.2+~cs18.0.8-2 (bookworm)
websocketsws
ws_projectws>= 5.0.0 < 6.2.26.2.2
ws_projectws>= 5.0.0 < 5.2.35.2.3
ws_projectws>= 6.0.0 < 6.2.26.2.2
ws_projectws>= 7.0.0 < 7.4.67.4.6
ws_projectws>= 7.0.0 < 7.4.67.4.6

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.