VDB

CVE-2021-32640

CVE-2021-32640 PUBLISHED

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

EPSS 1.15% · 78.9th percentile

Risk Scores

EPSS Score
1.15%
78.9th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTSnode-ws1.1.0+ds1.e6ddaae4-3ubuntu1, 0, *
Ubuntu:16.04:LTSnode-ws0, 0.7.2+ds1.349b7460-1, 1.0.1+ds1.e6ddaae4-1
Ubuntu:22.04:LTSnode-ws0, 7.4.2+~cs18.0.8-2, 7.5.5+~cs13.0.13-1
Ubuntu:20.04:LTSnode-ws7.2.1-3, 7.2.1-2, 1.1.0+ds1.e6ddaae4-5

Exploit Intelligence

Timeline

  • CVE Published
  • May 26, 2021 EPSS Score
  • Jul 28, 2021 EPSS Score
  • Sep 28, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Jan 28, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Mar 30, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Apr 12, 2022 PoC Published
  • May 31, 2022 EPSS Score
  • Oct 1, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›