Skip to content

ReDoS in Sec-Websocket-Protocol header

moderate severity Published May 28, 2021 in websockets/ws • Updated Oct 6, 2021
We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

npm ws (npm)

Affected versions

>= 7.0.0, < 7.4.6
>= 6.0.0, < 6.2.2
>= 5.0.0, < 5.2.3

Patched versions

7.4.6
6.2.2
5.2.3

Description

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in ws@7.4.6 (websockets/ws@00c425e) and backported to ws@6.2.2 (websockets/ws@78c676d) and ws@5.2.3 (websockets/ws@76d47c1).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

References

@lpinca lpinca published the maintainer security advisory May 25, 2021

CVE ID

CVE-2021-32640

CVSS Score

5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Credits