MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2021-32640

CVSS 5.3v3.1pub. 2021-05-25upd. 2024-11-21

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Netapp E Series Performance Analyzer

    APP
    Netapp
    wszystkie wersje
  • Ws Project Ws

    APP
    Ws Project
    5.0.0 – 6.2.2 (bez)7.0.0 – 7.4.6 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2021-26707CRITICAL9.8ten sam produkt

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype...

CVE-2021-20231CRITICAL9.8ten sam produkt

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory co...

CVE-2019-13272HIGH7.8⚠ KEVten sam produkt

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials ...

CVE-2026-48779HIGH7.5ten sam produkt

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including...

CVE-2022-45061HIGH7.5ten sam produkt

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when pr...