Lucene search
K

202 matches found

Github Security Blog
Github Security Blog
added 2025/04/24 4:3 p.m.23 views

tRPC 11 WebSocket DoS Vulnerability

Summary An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Details Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. Here is a...

8.7CVSS6.4AI score0.00349EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2025/04/24 4:3 p.m.9 views

GHSA-PJ3V-9CM8-GVJ8 tRPC 11 WebSocket DoS Vulnerability

Summary An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Details Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. Here is a...

8.7CVSS6.8AI score0.00349EPSS
Exploits0References6
OSV
OSV
added 2025/04/24 1:58 p.m.29 views

CVE-2025-43855 tRPC 11 WebSocket DoS Vulnerability

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to cras...

8.7CVSS6.8AI score0.00349EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/04/24 12:0 a.m.4 views

PT-2025-17733 · Trpc · Trpc

Name of the Vulnerable Software and Affected Versions: tRPC versions 11.0.0 through 11.1.0 Description: The issue allows any unauthenticated user to crash a tRPC 11 WebSocket server by throwing an unhandled error when validating invalid connectionParams. This affects tRPC 11 servers with WebSocke...

8.7CVSS6.4AI score0.00349EPSS
Exploits0References10
CNNVD
CNNVD
added 2025/04/24 12:0 a.m.6 views

tRPC 安全漏洞

tRPC is a TypeScript framework for building type-safe APIs from the tRPC community. A security vulnerability exists in tRPC version 11.0.0 that stems from an unhandled error that could cause the WebSocket server to crash...

8.7CVSS6.4AI score0.00349EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/04/03 1:36 p.m.40 views

CVE-2025-32049 Libsoup: denial of service attack to websocket server

A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service DoS...

7.5CVSS0.00764EPSS
Exploits0References16
Vulnrichment
Vulnrichment
added 2025/04/03 1:36 p.m.17 views

CVE-2025-32049 Libsoup: denial of service attack to websocket server

A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service DoS...

7.5CVSS6.9AI score0.00764EPSS
Exploits0References16
Veracode
Veracode
added 2025/02/05 1:30 a.m.15 views

Remote Code Execution (RCE)

Vitest is vulnerable to Remote Code Execution RCE. The vulnerability is due to the WebSocket server not validating the Origin header and lacking an authorization mechanism, allowing an attacker to inject and execute arbitrary code via the saveTestFile and rerun APIs...

9.6CVSS8.1AI score0.0067EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2025/02/04 7:36 p.m.6 views

CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...

9.6CVSS8.7AI score0.0067EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2024/06/17 7:9 p.m.499 views

ws affected by a DoS when handling a request with many HTTP headers

Impact A request with a number of headers exceeding the server.maxHeadersCount threshold could be used to crash a ws server. Proof of concept js const http = require'http'; const WebSocket = require'ws'; const wss = new WebSocket.Server port: 0 , function const chars =...

7.5CVSS6.8AI score0.01357EPSS
Exploits0References8Affected Software1
Vulnrichment
Vulnrichment
added 2024/06/17 7:9 p.m.60 views

CVE-2024-37890 Denial of service when handling a request with many HTTP headers in ws

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] e55e510 and backported to [email protected] 22c2876, [email protected] eeb76d3, and [email protected]...

7.5CVSS7AI score0.01357EPSS
Exploits0References8
OSV
OSV
added 2024/06/17 7:9 p.m.29 views

CVE-2024-37890 Denial of service when handling a request with many HTTP headers in ws

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] e55e510 and backported to [email protected] 22c2876, [email protected] eeb76d3, and [email protected]...

7.5CVSS6.8AI score0.01357EPSS
Exploits0References10
NVD
NVD
added 2024/03/14 12:15 a.m.11 views

CVE-2024-28251

Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of quer...

7.3CVSS5.4AI score0.00239EPSS
Exploits0References2
CVE
CVE
added 2024/03/13 11:21 p.m.74 views

CVE-2024-28251

Querybook (Big Data Querying UI) exposes a cross-site websocket hijacking risk due to permissive CORS on its WebSocket Server. The issue affects datadocs functionality where the client communicates with a WebSocket Server to update/read/delete cells and monitor query execution, enabling an attack...

7.3CVSS5.4AI score0.00239EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2023/10/19 8:2 p.m.31 views

GHSA-HMGW-9JRG-HF2M Directus crashes on invalid WebSocket message

Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix if only I had some extra time..., but I decided...

7.5CVSS5.7AI score0.00689EPSS
Exploits1References5
OSV
OSV
added 2023/04/04 5:15 p.m.5 views

CVE-2023-1751

The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which...

5.3CVSS6.1AI score0.00586EPSS
Exploits0References1
Prion
Prion
added 2023/04/04 5:15 p.m.21 views

Authorization

The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which...

5CVSS6.2AI score0.00586EPSS
Exploits0References1Affected Software4
Vulnrichment
Vulnrichment
added 2023/04/04 4:54 p.m.7 views

CVE-2023-1751 CVE-2023-1751

The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which...

7.5CVSS7.4AI score0.00586EPSS
Exploits0References1
Cvelist
Cvelist
added 2023/04/04 4:54 p.m.17 views

CVE-2023-1751 CVE-2023-1751

The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which...

7.5CVSS7.6AI score0.00586EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2023/02/28 3:27 a.m.3 views

SUSE CVE-2023-26103

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service ReDoS due to the upgradeWebSocket function, which contains regexes in the form of /s,s/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to...

7.5CVSS6.9AI score0.01229EPSS
Exploits1References3
Rows per page
Query Builder