CVE-2021-32640
Denial of Service vulnerability in ws
What is CVE-2021-32640 About?
This vulnerability allows attackers to significantly slow down a 'ws' server by sending a specially crafted `Sec-Websocket-Protocol` header. The crafted header can cause excessive processing, leading to a denial of service. Exploitation is relatively easy, requiring only the ability to send specific HTTP headers.
Affected Software
- ws
- >6.0.0, <6.2.2
- >5.0.0, <5.2.3
- >7.0.0, <7.4.6
Technical Details
The vulnerability exists in 'ws' versions prior to 7.4.6, 6.2.2, and 5.2.3. A specially crafted value within the `Sec-Websocket-Protocol` HTTP header can trigger excessive computational operations within the 'ws' server. Specifically, a proof-of-concept demonstrates that a long string of spaces padded with other characters, when processed by `value.trim().split(/ *, */)`, leads to a disproportionately long execution time as the string length increases. This can be exploited by an attacker to send such a header, causing the server to consume significant CPU resources and degrade its performance, potentially resulting in a denial of service for legitimate clients.
What is the Impact of CVE-2021-32640?
Successful exploitation may allow attackers to degrade the performance of a 'ws' server, leading to slow responses, resource exhaustion, and ultimately a denial of service, disrupting communications for legitimate users.
What is the Exploitability of CVE-2021-32640?
Exploitation of this vulnerability is straightforward and requires the ability to send a custom `Sec-Websocket-Protocol` header during a WebSocket handshake with a vulnerable 'ws' server. The attack is remote, as it involves crafting and sending HTTP headers over a network. There are no specific authentication requirements, as the vulnerability can be triggered during the initial connection setup. Privilege requirements are also minimal, as it only requires network access to the server. The primary prerequisite is an exposed 'ws' server using a vulnerable library version. The risk is heightened when 'ws' servers are publicly accessible and process incoming WebSocket connections without adequate input validation or header size limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32640?
About the Fix from Resolved Security
This patch ensures each protocol in the WebSocket subprotocol list is individually trimmed of whitespace, preventing unintended leading/trailing spaces from being included in protocol names. This fixes CVE-2021-32640 by preventing attackers from bypassing protocol validation or causing logic errors through crafted protocol headers with extra spaces.
Available Upgrade Options
- ws
- >5.0.0, <5.2.3 → Upgrade to 5.2.3
- ws
- >6.0.0, <6.2.2 → Upgrade to 6.2.2
- ws
- >7.0.0, <7.4.6 → Upgrade to 7.4.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/websockets/ws
- https://osv.dev/vulnerability/GHSA-6fc8-4gx4-v693
- https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E
- https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
- https://github.com/websockets/ws/issues/1895
- https://nvd.nist.gov/vuln/detail/CVE-2021-32640
- https://security.netapp.com/advisory/ntap-20210706-0005
- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
What are Similar Vulnerabilities to CVE-2021-32640?
Similar Vulnerabilities: CVE-2021-32723 , CVE-2021-29469 , CVE-2021-29482 , CVE-2021-32014 , CVE-2021-32012
