Description
A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.3 >= 6.0.0, < 6.2.2 >= 7.0.0, < 7.4.6** Patched version(s): **5.2.3 6.2.2 7.4.6**
References
- GHSA-6fc8-4gx4-v693
- lists.apache.org
- security.netapp.com
- CVE-2021-32640
- CWE-345
- CWE-400
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- jsx-slack insufficient patch for CVE-2021-43838 ReDoS - CVE-2021-43843
- Regular Expression Denial of Service (ReDoS) in ua-parser-js - CVE-2021-27292
- Regular Expression Denial of Service (ReDoS) in Prism - CVE-2021-32723
- Regular Expression Denial of Service (ReDoS) in jsx-slack - CVE-2021-43838
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on February 03, 2023