7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
38.6%
Any application using @fastify/websocket could crash if a specific, malformed packet is sent.
All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched.
This has been patched in v7.1.1 (fastify v4) and v5.0.1 (fastify v3).
No known workaround is available. However, it should be possible to attach the error handler manually.
The recommended path is upgrading to the patched versions.
marcolanaro for finding and patching this vulnerability
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
@fastify/websocket | lt | 7.1.1 | |
@fastify/websocket | ge | 5.0.0 | |
@fastify/websocket | ge | 6.0.0 | |
@fastify/websocket | lt | 5.0.1 | |
fastify-websocket | le | 4.3.0 |
github.com/fastify/fastify-websocket
github.com/fastify/fastify-websocket/commit/7e8c41a51c101c3d5ce88caee4f71d9c29eb2863
github.com/fastify/fastify-websocket/commit/c24adeb3efd57a18b2f287c35d029e88b5a47194
github.com/fastify/fastify-websocket/pull/228
github.com/fastify/fastify-websocket/releases/tag/v5.0.1
github.com/fastify/fastify-websocket/releases/tag/v7.1.1
github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cq
nvd.nist.gov/vuln/detail/CVE-2022-39386