EUVD-2021-0968

Malware in sbrugna...

Regular Expression Denial Of Service (ReDoS)

ws is vulnerable to regular expression denial of service. An attacker is able to cause excessive CPU consumption that can lead to an application crash by submitting a malicious value of Sec-Websocket-Protocol...

Regular Expression Denial of Service

Overview In ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability. Impact A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Proof of concept js for const length of 1000, 2000, 4000, 8000, 16000, 32000 const value ...

CVE-2021-32640

A flaw was found in nodejs-ws. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Mitigation In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the...

Cross site request forgery (csrf)

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in email protected...