CVE-2021-32640Uncontrolled Resource Consumption in Node-ws

CWE-400Uncontrolled Resource ConsumptionCWE-345Insufficient Verification of Data Authenticity7 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.5%
top 36.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
WS Project WSDebian Node-wsWebsockets WS
Timeline
PublishedMay 25
Latest updateApr 12

Description

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5websockets/ws>= 5.0.0 <= 7.4.5
debiandebian/node-ws< node-ws 7.4.2+~cs18.0.8-2 (bookworm)
NVDws_project/ws5.0.06.2.2+1
npmws_project/ws7.0.07.4.6+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
ReDoS in Sec-Websocket-Protocol header2021-05-28
GHSA
ReDoS in Sec-Websocket-Protocol header2021-05-28
OSV
CVE-2021-32640: ws is an open source WebSocket client and server library for Node2021-05-25

📋Vendor Advisories

2
Red Hat
nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server2021-05-25
Debian
CVE-2021-32640: node-ws - ws is an open source WebSocket client and server library for Node.js. A speciall...2021

💬Community

1
HackerOne
Regular Expression Denial of Service vulnerability2022-04-12