Vulnerability allows Denial of Service (DoS) via Regex Backtracking

[clepore]

I wasn't sure if you were aware of this: National Vulnerability DB - CVE-2020-7663

Thanks and cheers!

[md-hamed]

I think this one is related to https://github.com/faye/websocket-extensions-ruby (and it was fixed in their latest version btw). The similar vulnerability related to this package is CVE-2020-7662 and it was already resolved in the latest version. However; for some reason, I'm getting the CVE-2020-7663 vulnerability warning in the vulnerability management tool of one of my projects. I think these might be something wrong with the vulnerabilities database.

[jcoglan]

Just to confirm: CVE-2020-7662 relates to this repository, and CVE-2020-7663 relates to the Ruby version, https://github.com/faye/websocket-extensions-ruby. Both these CVEs have been addressed in published releases. Is there another reason you were flagging this, @clepore, or should I close this issue?

[clepore]

@jcoglan , I was seeing the same issue as @md-hamed. Our security tool is flagging this as "not fixed" for this repository saying it needs to be on version 0.1.5 or greater to be "fixed".

Edit: I see that this is fixed in 0.1.4. Thanks and yes you can close. Sorry for not researching harder.

[jcoglan]

@clepore That's ok, I was wondering whether your reporting tool is confusing this repo with https://github.com/faye/websocket-extensions-ruby, since both repos contain a package with the same name, but that repo is a Ruby package while this one is for Node.js.

Just to spell this out and make sure it's clear for others who find this thread:

• CVE-2020-7662 relates to this repo, which contains the npm package named websocket-extensions. The latest version, containing the fix for this CVE, is 0.1.4.
• CVE-2020-7663 relates to https://github.com/faye/websocket-extensions-ruby, which contains the Rubygems package named websocket-extensions. The latest version, containing the fix for this CVE, is 0.1.5.