CVE-2020-7662
Regular Expression Denial of Service (ReDoS) vulnerability in websocket-extensions (npm)
What is CVE-2020-7662 About?
This ReDoS vulnerability allows an attacker to exhaust a server's processing capacity by sending a specially crafted WebSocket handshake request. The header containing an unclosed string parameter value with a repeating two-byte sequence causes exponential time consumption, leading to a denial of service, which is relatively easy to trigger.
Affected Software
Technical Details
This vulnerability is a Regular Expression Denial of Service (ReDoS) flaw affecting the processing of WebSocket handshake requests. An attacker can construct a malicious Sec-WebSocket-Extensions header, specifically one containing an unclosed string parameter value with a repeating two-byte sequence (e.g., a; b=\"\c\c\c\c\c\c\c\c\c\c ...). The regular expression parser used to validate or process this header exhibits catastrophic backtracking. This means that as the length of the crafted string increases, the time required for the parser to reject it grows exponentially, consuming excessive CPU resources. In a single-threaded server environment, this can completely block the processing of other requests on the same thread, rendering the service entirely unavailable and leading to a denial of service.
What is the Impact of CVE-2020-7662?
Successful exploitation may allow attackers to cause a denial of service, making the affected application or service unresponsive by consuming excessive CPU resources.
What is the Exploitability of CVE-2020-7662?
Exploitation involves sending a specially crafted WebSocket handshake request containing a malicious Sec-WebSocket-Extensions header. This is a low-complexity attack as it only requires constructing a specific string. No authentication is needed, making it a remote attack vector. There are no special privilege requirements, as the attack targets the application's parsing logic. The primary prerequisite is that the application uses a vulnerable WebSocket library to process Sec-WebSocket-Extensions headers. The risk factor for exploitation is significantly high for public-facing WebSocket services, especially those running in single-threaded environments, as a single malicious request can render the service completely unavailable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7662?
Available Upgrade Options
- websocket-extensions
- <0.1.4 → Upgrade to 0.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237
- https://nvd.nist.gov/vuln/detail/CVE-2020-7662
- https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv
- https://osv.dev/vulnerability/GHSA-g78m-2chm-r7qv
- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions
- https://github.com/faye/websocket-extensions-node
- https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623
What are Similar Vulnerabilities to CVE-2020-7662?
Similar Vulnerabilities: CVE-2020-7753 , CVE-2020-26256 , CVE-2019-10756 , CVE-2019-10771 , CVE-2020-8174
