Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by websockets
CVE-2026-48779 (GCVE-0-2026-48779)
Vulnerability from cvelistv5 – Published: 2026-06-16 21:26 – Updated: 2026-06-17 18:12
VLAI
Title
ws: Memory exhaustion DoS from tiny fragments and data chunks
Summary
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/websockets/ws/security/advisor… | x_refsource_CONFIRM |
| https://github.com/websockets/ws/commit/86d3e8a5f… | x_refsource_MISC |
| https://github.com/websockets/ws/commit/b5372ac67… | x_refsource_MISC |
| https://github.com/websockets/ws/commit/bca91adf1… | x_refsource_MISC |
| https://github.com/websockets/ws/commit/fd36cd864… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| websockets | ws |
Affected:
>= 1.1.0, < 5.2.5
Affected: >= 6.0.0, < 6.2.4 Affected: >= 7.0.0, < 7.5.11 Affected: >= 8.0.0, < 8.21.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48779",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T18:07:28.748295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T18:12:48.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 5.2.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.2.4"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.5.11"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T21:26:22.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
},
{
"name": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
},
{
"name": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
},
{
"name": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
},
{
"name": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
}
],
"source": {
"advisory": "GHSA-96hv-2xvq-fx4p",
"discovery": "UNKNOWN"
},
"title": "ws: Memory exhaustion DoS from tiny fragments and data chunks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48779",
"datePublished": "2026-06-16T21:26:22.537Z",
"dateReserved": "2026-05-22T20:18:20.365Z",
"dateUpdated": "2026-06-17T18:12:48.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45736 (GCVE-0-2026-45736)
Vulnerability from cvelistv5 – Published: 2026-05-15 14:53 – Updated: 2026-05-16 01:09
VLAI
Title
ws: Uninitialized memory disclosure
Summary
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
Severity
4.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/websockets/ws/security/advisor… | x_refsource_CONFIRM |
| https://github.com/websockets/ws/commit/c0327ec15… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| websockets | ws |
Affected:
>= 8.0.0, < 8.20.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:08:38.777055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:09:15.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908: Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T14:53:57.263Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx"
},
{
"name": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"
}
],
"source": {
"advisory": "GHSA-58qx-3vcg-4xpx",
"discovery": "UNKNOWN"
},
"title": "ws: Uninitialized memory disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45736",
"datePublished": "2026-05-15T14:53:57.263Z",
"dateReserved": "2026-05-13T06:54:34.219Z",
"dateUpdated": "2026-05-16T01:09:15.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37890 (GCVE-0-2024-37890)
Vulnerability from cvelistv5 – Published: 2024-06-17 19:09 – Updated: 2024-08-02 03:57
VLAI
Title
Denial of service when handling a request with many HTTP headers in ws
Summary
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/websockets/ws/security/advisor… | x_refsource_CONFIRM |
| https://github.com/websockets/ws/issues/2230 | x_refsource_MISC |
| https://github.com/websockets/ws/pull/2231 | x_refsource_MISC |
| https://github.com/websockets/ws/commit/22c287632… | x_refsource_MISC |
| https://github.com/websockets/ws/commit/4abd8f6de… | x_refsource_MISC |
| https://github.com/websockets/ws/commit/e55e5106f… | x_refsource_MISC |
| https://github.com/websockets/ws/commit/eeb76d313… | x_refsource_MISC |
| https://nodejs.org/api/http.html#servermaxheaderscount | x_refsource_MISC |
Impacted products
9 products
| Vendor | Product | Version | |
|---|---|---|---|
| websockets | ws |
Affected:
>= 2.1.0, < 5.2.4
Affected: >= 6.0.0, < 6.2.3 Affected: >= 7.0.0, < 7.5.10 Affected: >= 8.0.0, < 8.17.1 |
|
| websockets | ws |
Affected:
2.1.0
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
0 , < 5.2.4
(custom)
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
6.0.0
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
0 , < 6.2.3
(custom)
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
7.0.0
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
0 , < 7.5.10
(custom)
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
8.0.0
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
|
| websockets | ws |
Affected:
0 , < 8.17.1
(custom)
cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"lessThan": "5.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "6.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"lessThan": "6.2.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "7.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"lessThan": "7.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "8.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:websockets:ws:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ws",
"vendor": "websockets",
"versions": [
{
"lessThan": "8.17.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37890",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-18T13:25:45.808140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T13:44:06.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:57:40.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q"
},
{
"name": "https://github.com/websockets/ws/issues/2230",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/issues/2230"
},
{
"name": "https://github.com/websockets/ws/pull/2231",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/pull/2231"
},
{
"name": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f"
},
{
"name": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e"
},
{
"name": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c"
},
{
"name": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63"
},
{
"name": "https://nodejs.org/api/http.html#servermaxheaderscount",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodejs.org/api/http.html#servermaxheaderscount"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 5.2.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.2.3"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.5.10"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T19:09:02.127Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q"
},
{
"name": "https://github.com/websockets/ws/issues/2230",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/issues/2230"
},
{
"name": "https://github.com/websockets/ws/pull/2231",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/pull/2231"
},
{
"name": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f"
},
{
"name": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e"
},
{
"name": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c"
},
{
"name": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63"
},
{
"name": "https://nodejs.org/api/http.html#servermaxheaderscount",
"tags": [
"x_refsource_MISC"
],
"url": "https://nodejs.org/api/http.html#servermaxheaderscount"
}
],
"source": {
"advisory": "GHSA-3h5v-q93c-6h6q",
"discovery": "UNKNOWN"
},
"title": "Denial of service when handling a request with many HTTP headers in ws"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37890",
"datePublished": "2024-06-17T19:09:02.127Z",
"dateReserved": "2024-06-10T19:54:41.360Z",
"dateUpdated": "2024-08-02T03:57:40.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32640 (GCVE-0-2021-32640)
Vulnerability from cvelistv5 – Published: 2021-05-25 18:25 – Updated: 2024-08-03 23:25
VLAI
Title
ReDoS in Sec-Websocket-Protocol header
Summary
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Severity
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/websockets/ws/security/advisor… | x_refsource_CONFIRM |
| https://github.com/websockets/ws/commit/00c425ec7… | x_refsource_MISC |
| https://lists.apache.org/thread.html/rdfa7b6253c4… | mailing-listx_refsource_MLIST |
| https://security.netapp.com/advisory/ntap-2021070… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| websockets | ws |
Affected:
>= 5.0.0 <= 7.4.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"
},
{
"name": "[tinkerpop-commits] 20210701 [tinkerpop] 01/03: Bumped ws to 6.2.2 to address CVE-2021-32640 CTR",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210706-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ws",
"vendor": "websockets",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0 \u003c= 7.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-06T07:06:26.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"
},
{
"name": "[tinkerpop-commits] 20210701 [tinkerpop] 01/03: Bumped ws to 6.2.2 to address CVE-2021-32640 CTR",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210706-0005/"
}
],
"source": {
"advisory": "GHSA-6fc8-4gx4-v693",
"discovery": "UNKNOWN"
},
"title": "ReDoS in Sec-Websocket-Protocol header",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32640",
"STATE": "PUBLIC",
"TITLE": "ReDoS in Sec-Websocket-Protocol header"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ws",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.0.0 \u003c= 7.4.5"
}
]
}
}
]
},
"vendor_name": "websockets"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693",
"refsource": "CONFIRM",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"
},
{
"name": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff",
"refsource": "MISC",
"url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"
},
{
"name": "[tinkerpop-commits] 20210701 [tinkerpop] 01/03: Bumped ws to 6.2.2 to address CVE-2021-32640 CTR",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210706-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210706-0005/"
}
]
},
"source": {
"advisory": "GHSA-6fc8-4gx4-v693",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32640",
"datePublished": "2021-05-25T18:25:09.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:25:31.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}