Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmNWgtaGg1Ni0zdnJn
Denial of Service in uws
Affected versions of uws do not properly handle large websocket messages when permessage-deflate is enabled, which may result in a denial of service condition.
If uws recieves a 256Mb websocket message when permessage-deflate is enabled, the server will compress the message prior to executing the length check, and subsequently extract the message prior to processing. This can result in a situation where an excessively large websocket message passes the length checks, yet still gets cast from a Buffer to a string, which will exceed v8's maximum string size and crash the process.
Recommendation
Update to version 0.10.9 or later.
Alternatively, disable permessage-deflate.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmNWgtaGg1Ni0zdnJn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
EPSS Percentage: 0.00098
EPSS Percentile: 0.41882
Identifiers: GHSA-hf5h-hh56-3vrg, CVE-2016-10544
References:
- https://github.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9
- https://www.npmjs.com/advisories/149
- https://nvd.nist.gov/vuln/detail/CVE-2016-10544
- https://github.com/advisories/GHSA-hf5h-hh56-3vrg
Blast Radius: 0.0
Affected Packages
npm:uws
Dependent packages: 380Dependent repositories: 84,585
Downloads: 222,880 last month
Affected Version Ranges: >= 0.10.0, <= 0.10.8
Fixed in: 0.10.9
All affected versions:
All unaffected versions: 0.14.1, 0.14.3, 0.14.4, 0.14.5, 8.14.0, 8.14.1, 9.14.0, 9.147.0, 9.148.0, 10.148.0, 10.148.1, 10.148.2, 99.0.0, 100.0.1, 200.0.0