CVE-2020-7693
Denial of Service vulnerability in sockjs (npm)
What is CVE-2020-7693 About?
The `sockjs` package before 0.3.20 is vulnerable to a denial of service. Incorrect handling of the 'Upgrade' header with a 'websocket' value can crash containers hosting SockJS applications. This allows attackers to easily disrupt service by sending a maliciously formed HTTP header.
Affected Software
Technical Details
The vulnerability in the sockjs package, prior to version 0.3.20, stems from improper handling of the HTTP 'Upgrade' header, specifically when its value is 'websocket'. When a client sends an HTTP request with an 'Upgrade: websocket' header to a server hosting a SockJS application, the sockjs library or its underlying framework fails to gracefully process this unsupported upgrade request. Instead of rejecting it or handling it appropriately, it leads to an unhandled exception or a critical error state that causes the entire container (e.g., Node.js process) hosting the SockJS application to crash. This results in a denial of service, making the application unavailable. The attack vector is a simple HTTP request with the specific header.
What is the Impact of CVE-2020-7693?
Successful exploitation may allow attackers to crash the application, leading to a denial of service and disrupting the availability of the service.
What is the Exploitability of CVE-2020-7693?
Exploitation of this vulnerability is of low complexity. An attacker merely needs to send an HTTP request with the 'Upgrade: websocket' header to an application running the vulnerable sockjs package. No authentication is required, as the vulnerability is triggered by a malformed HTTP header that can be sent to any public endpoint. This is a remote exploitation scenario. The attacker does not need any specific privileges. The primary risk factor is any publicly accessible endpoint serving a SockJS application with the vulnerable package, making it highly susceptible to denial-of-service attacks with minimal effort.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| andsnw | Link | CVE-2020-7693: SockJS 0.3.19 Denial of Service POC |
What are the Available Fixes for CVE-2020-7693?
Available Upgrade Options
- sockjs
- <0.3.20 → Upgrade to 0.3.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-7693
- https://osv.dev/vulnerability/GHSA-c9g6-9335-x697
- https://github.com/sockjs/sockjs-node/commit/dd7e642cd69ee74385825816d30642c43e051d16
- https://github.com/andsnw/sockjs-dos-py
- https://snyk.io/vuln/SNYK-JS-SOCKJS-575261
- https://github.com/andsnw/sockjs-dos-py
- https://github.com/sockjs/sockjs-node/issues/252
- https://github.com/sockjs/sockjs-node/pull/265
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575448
- https://github.com/sockjs/sockjs-node/pull/265
What are Similar Vulnerabilities to CVE-2020-7693?
Similar Vulnerabilities: CVE-2018-1000840 , CVE-2018-1000841 , CVE-2020-7694 , CVE-2021-23386 , CVE-2022-24903
