Ws Project Ws vulnerabilities

5 known vulnerabilities affecting ws_project/ws.

Total CVEs
5
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2024-37890HIGH≥ 2.1.0, < 5.2.4≥ 6.0.0, < 6.2.3+2 more2024-06-17
CVE-2024-37890 [HIGH] CWE-476 ws affected by a DoS when handling a request with many HTTP headers ws affected by a DoS when handling a request with many HTTP headers ### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghij
ghsaosv
CVE-2020-35896HIGH≥ 0, ≤ 0.9.12021-08-25
CVE-2020-35896 [HIGH] CWE-400 Insufficient size checks in ws Insufficient size checks in ws An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack.
ghsaosv
CVE-2021-32640MEDIUMCVSS 5.3≥ 5.0.0, < 6.2.2≥ 7.0.0, < 7.4.62021-05-25
CVE-2021-32640 [MEDIUM] CWE-400 CVE-2021-32640: ws is an open source WebSocket client and server library for Node.js. A specially crafted value of t ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the i
ghsanvdosv
CVE-2016-10518HIGHCVSS 7.5fixed in 1.0.12018-05-31
CVE-2016-10518 [HIGH] CWE-201 CVE-2016-10518: A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clie A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need t
ghsanvdosv
CVE-2016-10542HIGHCVSS 7.5PoC≤ 1.1.02018-05-31
CVE-2016-10542 [HIGH] CWE-400 CVE-2016-10542: ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
ghsanvdosv