CVE-2022-37797

Name of the Vulnerable Software and Affected Versions lighttpd version 1.4.65

Description The issue is related to the mod wstunnel module in the lighttpd web server, which is connected to pointer dereference errors. If an invalid HTTP request, specifically a websocket handshake, is received, the handler function pointer is not initialized, leading to a null pointer dereference that crashes the server. This could be exploited by a remote attacker to cause a denial of service condition.

Recommendations For lighttpd version 1.4.65, as a temporary workaround, consider disabling the mod wstunnel module until a patch is available. Restrict access to the websocket handshake endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.