CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10542
https://notcve.org/view.php?id=CVE-2016-10542
31 May 2018 — ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier. ws es un "cliente, servidor y consola websocket para Node.js fácil de usar, increíblemente rápido y testado en profundidad, actualizado contra RFC-6455". Mediante el envío de una carga útil websocket demasiado larga a un servidor "ws"... • https://github.com/nodejs/node/issues/7388 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10518
https://notcve.org/view.php?id=CVE-2016-10518
31 May 2018 — A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when... • https://gist.github.com/c0nrad/e92005446c480707a74a • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-201: Insertion of Sensitive Information Into Sent Data •