CVE-2021-32640: ReDoS in Sec-Websocket-Protocol header
First published: Tue May 25 2021(Updated: )
WebSockets ws library for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDOS) flaw in the in Sec-Websocket-Protocol header. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a slow down on the ws server, and results in a denial of service condition.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ws Project Ws | >=5.0.0<6.2.2 | |
| Ws Project Ws | >=7.0.0<7.4.6 | |
| Netapp E-series Performance Analyzer | ||
| IBM Planning Analytics | <=2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
- https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
- https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210706-0005/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202549
- https://www.ibm.com/support/pages/node/7096528 (Advisory)
- https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E
Frequently Asked Questions
What is CVE-2021-32640?
CVE-2021-32640 is a vulnerability in the ws library for Node.js that allows a specially crafted value of the `Sec-Websocket-Protocol` header to slow down a ws server.
What software is affected by CVE-2021-32640?
The ws library versions 5.0.0 to 6.2.2 and versions 7.0.0 to 7.4.6 for Node.js are affected. Additionally, the Netapp E-series Performance Analyzer is also affected.
What is the severity of CVE-2021-32640?
CVE-2021-32640 has a severity level of 5.3 (medium).
How can I fix CVE-2021-32640?
To fix CVE-2021-32640, you should update the ws library to version 7.4.6 or higher for Node.js.
Where can I find more information about CVE-2021-32640?
You can find more information about CVE-2021-32640 in the references provided: [link 1](https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff), [link 2](https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693), [link 3](https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/references
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/ws project
- canonical/ws project ws
- version/ws project ws/5.0.0
- version/ws project ws/7.0.0
- vendor/netapp
- canonical/netapp e-series performance analyzer
- vendor/ibm
- canonical/ibm planning analytics
- version/ibm planning analytics/2.0