7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.02 Low
EPSS
Percentile
88.8%
The ReDoS flaw allows an attacker to exhaust the server’s capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form:
Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
That is, a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. The parser takes exponential time to reject this header as invalid, and this will block the processing of any other work on the same thread. Thus if you are running a single-threaded server, such a request can render your service completely unavailable.
Users should upgrade to version 0.1.5.
There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.
CPE | Name | Operator | Version |
---|---|---|---|
websocket-extensions | lt | 0.1.5 |
blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions
github.com/advisories/GHSA-g6wq-qcwm-j5g2
github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b
github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
github.com/rubysec/ruby-advisory-db/blob/master/gems/websocket-extensions/CVE-2020-7663.yml
lists.debian.org/debian-lts-announce/2020/08/msg00031.html
nvd.nist.gov/vuln/detail/CVE-2020-7663
snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830
usn.ubuntu.com/4502-1/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.02 Low
EPSS
Percentile
88.8%