CVE-2021-4236

Name of the Vulnerable Software and Affected Versions github.com/ecnepsnai/web package versions prior to 1.5.2

Description The issue arises when Web Sockets do not execute any AuthenticateMethod methods, potentially leading to a nil pointer dereference or authentication bypass. This problem specifically affects WebSockets that have an AuthenticateMethod hook set. Request handlers not using WebSockets explicitly are not vulnerable. Depending on the implementation, this could result in a denial-of-service or privilege escalation vulnerability in software utilizing the github.com/ecnepsnai/web package with affected Web Sockets.

Recommendations For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue. As a temporary workaround for versions prior to 1.5.2, consider making the authenticate method a named function and calling it at the start of the handle method for the websocket, rejecting connections when the return value of the method is nil.