Veracode Vulnerability DatabaseVERACODE:47633Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
13.2%
ws is vulnerable to Denial Of Service (DoS). The vulnerability is due to improper handling of the Upgrade header when the number of received headers exceeds the server.maxHeadersCount or request.maxHeadersCount threshold, causing incomingMessage.headers.upgrade to not be set. Attackers can use this to crash the ws server by sending a request with an excessive number of headers.
References
github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
github.com/websockets/ws/issues/2230
github.com/websockets/ws/pull/2231
github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
nodejs.org/api/http.html#servermaxheaderscount
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
13.2%