VYPR
Moderate severityNVD Advisory· Published May 25, 2021· Updated Aug 3, 2024

ReDoS in Sec-Websocket-Protocol header

CVE-2021-32640

Description

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the `--max-http-header-size=size` and/or the `maxHeaderSize` options.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wsnpm
>= 7.0.0, < 7.4.67.4.6
wsnpm
>= 6.0.0, < 6.2.26.2.2
wsnpm
>= 5.0.0, < 5.2.35.2.3

Affected products

2
  • ghsa-coords
    Range: >= 7.0.0, < 7.4.6
  • websockets/wsv5
    Range: >= 5.0.0 <= 7.4.5

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.