Description
A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.3 >= 6.0.0, < 6.2.2 >= 7.0.0, < 7.4.6** Patched version(s): **5.2.3 6.2.2 7.4.6**
References
- GHSA-6fc8-4gx4-v693
- lists.apache.org
- security.netapp.com
- CVE-2021-32640
- CWE-345
- CWE-400
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header - CVE-2017-16136
- Regular Expression Denial of Service (ReDoS) - ssri - CVE-2021-27290
- jspdf vulnerable to Regular Expression Denial of Service (ReDoS) - CVE-2021-23353
- Regular Expression Denial of Service (ReDoS) in Prism - CVE-2021-32723
You might also like:
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on February 03, 2023


