ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LNetapp E Series Performance Analyzer
APPNetappwszystkie wersjeWs Project Ws
APPWs Project5.0.0 – 6.2.2 (bez)7.0.0 – 7.4.6 (bez)
Related vulnerabilities
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype...
A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory co...
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials ...
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including...
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when pr...