CVE-2016-10542
denial of service vulnerability in ws (npm)
What is CVE-2016-10542 About?
This vulnerability is a denial of service (DoS) flaw in affected versions of the `ws` WebSocket library. It occurs when the server fails to limit the size of incoming WebSocket payloads, allowing a large payload to crash the Node.js process. This can lead to service unavailability and is relatively straightforward to exploit.
Affected Software
Technical Details
The vulnerability in ws arises from its failure to adequately restrict the maximum allowed size for incoming WebSocket payloads. When a vulnerable ws server receives an excessively large payload from a client, it attempts to process this data without sufficient memory allocation or size validation. This can cause the Node.js process hosting the ws server to exhaust available memory or encounter other resource limits, leading to an unhandled exception or process termination. Consequently, the server crashes, resulting in a denial of service for legitimate users. The attack vector involves a malicious client sending a single, oversized WebSocket message.
What is the Impact of CVE-2016-10542?
Successful exploitation may allow attackers to cause the server application to crash, leading to a denial of service and disrupting the availability of the affected service.
What is the Exploitability of CVE-2016-10542?
Exploitation of this vulnerability is trivial and has low complexity. It can be performed remotely without any authentication or special privileges. An attacker simply needs to send a single, very large WebSocket payload to a vulnerable ws server. There are no complex prerequisites other than access to the WebSocket endpoint. The likelihood of exploitation is high, as it requires minimal effort from the attacker and can reliably cause a service disruption if the maxpayload option is not configured or is set to an insecurely high value. No specific authentication or privilege is needed to send the oversized payload.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-10542?
Available Upgrade Options
- ws
- <1.1.1 → Upgrade to 1.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-6663-c963-2gqg
- https://osv.dev/vulnerability/GHSA-6663-c963-2gqg
- https://www.npmjs.com/advisories/120
- https://github.com/nodejs/node/issues/7388
- https://nvd.nist.gov/vuln/detail/CVE-2016-10542
- https://nodesecurity.io/advisories/120
- https://github.com/nodejs/node/issues/7388
What are Similar Vulnerabilities to CVE-2016-10542?
Similar Vulnerabilities: CVE-2017-16129 , CVE-2017-12626 , CVE-2016-10537 , CVE-2018-3721 , CVE-2018-1000537
