Moderate severityNVD Advisory· Published May 25, 2021· Updated Aug 3, 2024
ReDoS in Sec-Websocket-Protocol header
CVE-2021-32640
Description
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the `--max-http-header-size=size` and/or the `maxHeaderSize` options.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wsnpm | >= 7.0.0, < 7.4.6 | 7.4.6 |
wsnpm | >= 6.0.0, < 6.2.2 | 6.2.2 |
wsnpm | >= 5.0.0, < 5.2.3 | 5.2.3 |
Affected products
2- websockets/wsv5Range: >= 5.0.0 <= 7.4.5
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-6fc8-4gx4-v693ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32640ghsaADVISORY
- github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ffghsax_refsource_MISCWEB
- github.com/websockets/ws/issues/1895ghsaWEB
- github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20210706-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210706-0005/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.