PT-2021-4265 · Npm · Ws

Robert Mclaughlin

Published

2021-05-01

Updated

2022-06-05

CVE-2021-32640

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions ws versions prior to 7.4.6 ws versions prior to 6.2.2 ws versions prior to 5.2.3

Description A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server, potentially leading to a denial of service. The issue is related to the incorrect interpretation of the Sec-Websocket-Protocol header.

Recommendations For ws versions prior to 7.4.6, update to ws@7.4.6 or later. For ws versions prior to 6.2.2, update to ws@6.2.2 or later. For ws versions prior to 5.2.3, update to ws@5.2.3 or later. As a temporary workaround, consider reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Exploit

Fix

Insufficient Verification of Data Authenticity

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-400

Related Identifiers

AZL-44670

BDU:2021-04873

CVE-2021-32640

GHSA-6FC8-4GX4-V693

PT-2021-4265 · Npm · Ws

CVE-2021-32640

Weakness Enumeration

Related Identifiers

Affected Products

References · 19