CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37890 – Denial of service when handling a request with many HTTP headers in ws
https://notcve.org/view.php?id=CVE-2024-37890
17 Jun 2024 — ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderS... • https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f • CWE-400: Uncontrolled Resource Consumption CWE-476: NULL Pointer Dereference •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2021-33880
https://notcve.org/view.php?id=CVE-2021-33880
06 Jun 2021 — The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. La biblioteca aaugustin websockets versiones anteriores a 9.1, para Python presenta una Discrepancia de Sincronización Observable en servidores cuando la Autenticación Básica HTTP está habilitada con basic_auth_protocol_factory(credentials=...). Un at... • https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0 • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000518
https://notcve.org/view.php?id=CVE-2018-1000518
26 Jun 2018 — aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in 5. aaugustin websockets 4 contiene una vulnerabilidad CWE-409: gestión incorrecta de datos altamente comp... • https://github.com/aaugustin/websockets/pull/407 • CWE-400: Uncontrolled Resource Consumption •