1965488 – (CVE-2021-32640) CVE-2021-32640 nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server

Bug 1965488 (CVE-2021-32640) - CVE-2021-32640 nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server

Summary: CVE-2021-32640 nodejs-ws: Specially crafted value of the `Sec-Websocket-Proto...

Keywords:
Status:	NEW
Alias:	CVE-2021-32640
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1965490 1970255 1970781 1971615 1965489 1967928 1967929 1967930 1967931 1969462 1969464 1969465 1969466 1971427 1972663 1972665 1972666 1972667 1972668 1972669 1972670 1972671 1972672 1972673 1972674 1972675
Blocks:	1965491
TreeView+	depends on / blocked

Reported:	2021-05-27 19:32 UTC by Pedro Sampaio
Modified:	2023-10-25 17:21 UTC (History)
CC List:	39 users (show)
Fixed In Version:	ws 7.4.6, ws 6.2.2, ws 5.2.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nodejs-ws. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-05-27 19:32:34 UTC

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

References:

https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff

Comment 1 Pedro Sampaio 2021-05-27 19:33:20 UTC

Created nodejs-ws tracking bugs for this issue:

Affects: epel-7 [bug 1965490]
Affects: fedora-33 [bug 1965489]

Comment 8 Tapas Jena 2021-06-11 08:03:18 UTC

Analysis is complete for Ansible Automation Platform and found that Ansible Tower is using affected version of ws. Creating required trackers.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
anpicker
aos-bugs
bcoca
bmontgom
davidn
eparis
gblomqui
gparvin
hvyas
jburrell
jcammara
jhadvig
jhardy
jobarker
jweiser
jwendell
kaycoth
kshier
mabashia
nodejs-sig
nstielau
osapryki
rcernich
relrod
rfreiman
rpetrell
smcdonal
spasquie
sponnaga
stcannon
tdawson
tfister
thee
tkuratom
twalsh
viktor.vix.jancik
vmugicag
yguenane