CVE-2020-7662

Name of the Vulnerable Software and Affected Versions websocket-extensions npm module versions prior to 0.1.4

Description The issue allows for Denial of Service (DoS) via Regex Backtracking. An attacker can exploit this by sending a malicious payload with the Sec-WebSocket-Extensions header, causing the extension parser to take quadratic time when parsing a header containing an unclosed string parameter value. This could lead to exhausting the server's capacity to process incoming requests, rendering the service completely unavailable, especially on single-threaded servers.

Recommendations For versions prior to 0.1.4, upgrade to version 0.1.4 to resolve the issue. As a temporary workaround, consider disabling any public-facing WebSocket functionality until the upgrade is applied.