CVE-2016-10542
denial of service vulnerability in ws
What is CVE-2016-10542 About?
This vulnerability is a denial of service (DoS) flaw in affected versions of the `ws` WebSocket library. It occurs when the server fails to limit the size of incoming WebSocket payloads, allowing a large payload to crash the Node.js process. This can lead to service unavailability and is relatively straightforward to exploit.
Affected Software
Technical Details
The vulnerability in `ws` arises from its failure to adequately restrict the maximum allowed size for incoming WebSocket payloads. When a vulnerable `ws` server receives an excessively large payload from a client, it attempts to process this data without sufficient memory allocation or size validation. This can cause the Node.js process hosting the `ws` server to exhaust available memory or encounter other resource limits, leading to an unhandled exception or process termination. Consequently, the server crashes, resulting in a denial of service for legitimate users. The attack vector involves a malicious client sending a single, oversized WebSocket message.
What is the Impact of CVE-2016-10542?
Successful exploitation may allow attackers to cause the server application to crash, leading to a denial of service and disrupting the availability of the affected service.
What is the Exploitability of CVE-2016-10542?
Exploitation of this vulnerability is trivial and has low complexity. It can be performed remotely without any authentication or special privileges. An attacker simply needs to send a single, very large WebSocket payload to a vulnerable `ws` server. There are no complex prerequisites other than access to the WebSocket endpoint. The likelihood of exploitation is high, as it requires minimal effort from the attacker and can reliably cause a service disruption if the `maxpayload` option is not configured or is set to an insecurely high value. No specific authentication or privilege is needed to send the oversized payload.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-10542?
Available Upgrade Options
- ws
- <1.1.1 → Upgrade to 1.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-6663-c963-2gqg
- https://osv.dev/vulnerability/GHSA-6663-c963-2gqg
- https://www.npmjs.com/advisories/120
- https://github.com/nodejs/node/issues/7388
- https://nvd.nist.gov/vuln/detail/CVE-2016-10542
- https://nodesecurity.io/advisories/120
- https://github.com/nodejs/node/issues/7388
What are Similar Vulnerabilities to CVE-2016-10542?
Similar Vulnerabilities: CVE-2017-16129 , CVE-2017-12626 , CVE-2016-10537 , CVE-2018-3721 , CVE-2018-1000537
