Regular Expression Denial of Servicews
ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability.
A specially crafted value of the
Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
Proof of concept
for const length of 1000 2000 4000 8000 16000 32000const value = 'b' + ' ' + 'x';const start = processhrtime;value;const end = processhrtime;console;
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).
The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.
Upgrade to version 5.2.3 or 6.2.2 or 7.4.6 or later
publishedAdvisory PublishedJun 1st, 2021
reportedReported by AnonymousMay 28th, 2021