CVE-2020-7663

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions websocket-extensions ruby module versions prior to 0.1.5

Description The issue allows for Denial of Service (DoS) via Regex Backtracking. An attacker can exploit this by providing a malicious payload with the Sec-WebSocket-Extensions header, containing an unclosed string parameter value with a repeating two-byte sequence of a backslash and some other character. This can exhaust the server's capacity to process incoming requests, rendering the service completely unavailable, especially on single-threaded servers.

Recommendations For versions prior to 0.1.5, upgrade to version 0.1.5 to resolve the issue. As a temporary workaround, consider disabling any public-facing WebSocket functionality until the upgrade is applied.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BDU:2025-09009

CVE-2020-7663

DLA-2334-1

GHSA-G6WQ-QCWM-J5G2

OESA-2022-1553

OESA-2022-2093

OPENSUSE-SU-2023_0127-1

OPENSUSE-SU-2024:11357-1

OPENSUSE-SU-2024:13173-1

OPENSUSE-SU-2024:14180-1

OPENSUSE-SU-2025:15130-1

OPENSUSE-SU-2026:10368-1

RHSA-2020:4366

SNYK-RUBY-WEBSOCKETEXTENSIONS-570830

SUSE-SU-2023:0127-1

SUSE-SU-2023_0127-1

USN-4502-1

Affected Products

Astra Linux

Linuxmint

Red Os

Suse

Ubuntu

Websocket-Extensions

CVE-2020-7663

Weakness Enumeration

Related Identifiers

Affected Products

References · 38