#VU103054 Incorrect Regular Expression in Websocket-extensions - CVE-2020-7662
Published: January 20, 2025
Vulnerability identifier: #VU103054
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-7662
CWE-ID: CWE-185
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Websocket-extensions
Websocket-extensions
Software vendor:
Abdul Rafay
Abdul Rafay
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
External links
- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions
- https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237
- https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv
- https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623