CVE-2020-7662: Input Validation
Faye websocket-extensions npm module is vulnerable to a denial of service, caused by improper input validation by the Sec-WebSocket-Extensions header. By using a specially-crafted value in the Sec-WebSocket-Extensions header, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Other sources
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Reference: https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv
Upstream commit: https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237
— Red Hat
Affected Software
Remediation
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is CVE-2020-7662?
CVE-2020-7662 is a vulnerability in the websocket-extensions npm module that allows Denial of Service (DoS) via Regex Backtracking.
How can the websocket-extensions npm module be exploited?
The vulnerability in websocket-extensions npm module can be exploited by sending a header with an unclosed string parameter value containing a repeating two-byte sequence of a backslash and another character.
What is the severity of CVE-2020-7662?
CVE-2020-7662 has a severity rating of 7.5 (high).
How do I fix the websocket-extensions npm module vulnerability (CVE-2020-7662)?
To fix the vulnerability, update the websocket-extensions npm module to version 0.1.4 or later.
Where can I find more information about CVE-2020-7662?
You can find more information about CVE-2020-7662 in the following references: [Reference 1](https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv), [Reference 2](https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237), [Reference 3](https://access.redhat.com/errata/RHSA-2020:2796).