CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ws is vulnerable to Denial Of Service (DoS). The vulnerability is due to improper handling of the Upgrade
header when the number of received headers exceeds the server.maxHeadersCount
or request.maxHeadersCount
threshold, causing incomingMessage.headers.upgrade
to not be set. Attackers can use this to crash the ws server by sending a request with an excessive number of headers.
github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
github.com/websockets/ws/issues/2230
github.com/websockets/ws/pull/2231
github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
nodejs.org/api/http.html#servermaxheaderscount