Skip to content

Denial of Service in uws

High severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm uws (npm)

Affected versions

>= 0.10.0, <= 0.10.8

Patched versions

0.10.9

Description

Affected versions of uws do not properly handle large websocket messages when permessage-deflate is enabled, which may result in a denial of service condition.

If uws recieves a 256Mb websocket message when permessage-deflate is enabled, the server will compress the message prior to executing the length check, and subsequently extract the message prior to processing. This can result in a situation where an excessively large websocket message passes the length checks, yet still gets cast from a Buffer to a string, which will exceed v8's maximum string size and crash the process.

Recommendation

Update to version 0.10.9 or later.

Alternatively, disable permessage-deflate.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 1, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.098%
(42nd percentile)

Weaknesses

CVE ID

CVE-2016-10544

GHSA ID

GHSA-hf5h-hh56-3vrg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.