Robert Mclaughlin

Researcher fromUniversity of California, Santa Barbara
#10651of 53,633
25.9Total CVSS
Vulnerabilities · 4
Medium
2
High
2
PT-2021-15512
7.5
2021-08-18
Ansi-Html · Ansi-Html · CVE-2021-23424
**Name of the Vulnerable Software and Affected Versions** ansi-html (affected versions not specified) **Description** The issue arises when an attacker provides a malicious string, causing the system to get stuck processing the input for an extremely long time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2021-15513
5.3
2021-08-18
Unknown · Trim-Off-Newlines · CVE-2021-23425
**Name of the Vulnerable Software and Affected Versions** trim-off-newlines (affected versions not specified) **Description** The issue concerns a Regular Expression Denial of Service (ReDoS) via string processing. This means that the software is vulnerable to a type of attack where an attacker can cause the software to consume excessive resources by providing a specially crafted input that triggers a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2021-4265
5.3
2021-05-01
Npm · Ws · CVE-2021-32640
**Name of the Vulnerable Software and Affected Versions** ws versions prior to 7.4.6 ws versions prior to 6.2.2 ws versions prior to 5.2.3 **Description** A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server, potentially leading to a denial of service. The issue is related to the incorrect interpretation of the `Sec-Websocket-Protocol` header. **Recommendations** For ws versions prior to 7.4.6, update to ws@7.4.6 or later. For ws versions prior to 6.2.2, update to ws@6.2.2 or later. For ws versions prior to 5.2.3, update to ws@5.2.3 or later. As a temporary workaround, consider reducing the maximum allowed length of the request headers using the `--max-http-header-size=size` and/or the `maxHeaderSize` options.
PT-2020-19691
7.8
2020-06-02
Ruby · Websocket-Extensions · CVE-2020-7663
**Name of the Vulnerable Software and Affected Versions** websocket-extensions ruby module versions prior to 0.1.5 **Description** The issue allows for Denial of Service (DoS) via Regex Backtracking. An attacker can exploit this by providing a malicious payload with the Sec-WebSocket-Extensions header, containing an unclosed string parameter value with a repeating two-byte sequence of a backslash and some other character. This can exhaust the server's capacity to process incoming requests, rendering the service completely unavailable, especially on single-threaded servers. **Recommendations** For versions prior to 0.1.5, upgrade to version 0.1.5 to resolve the issue. As a temporary workaround, consider disabling any public-facing WebSocket functionality until the upgrade is applied.