Description
A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.3 >= 6.0.0, < 6.2.2 >= 7.0.0, < 7.4.6** Patched version(s): **5.2.3 6.2.2 7.4.6**
References
- GHSA-6fc8-4gx4-v693
- lists.apache.org
- security.netapp.com
- CVE-2021-32640
- CWE-345
- CWE-400
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- pg-promise SQL Injection vulnerability - CVE-2025-29744
- njwt Prototype Pollution vulnerability - CVE-2024-34273
- Elliptic allows BER-encoded signatures - CVE-2024-42461
- ws affected by a DoS when handling a request with many HTTP headers - CVE-2024-37890
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on February 03, 2023