scriptex/webpack-mpa-next

CVE-2021-32640 (Medium) detected in ws-7.4.5.tgz, ws-6.2.1.tgz #589

whitesource-bolt-for-github[bot] posted onGitHub

CVE-2021-32640 - Medium Severity Vulnerability

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png&#39; width=19 height=20> Vulnerable Libraries - <b>ws-7.4.5.tgz</b>, <b>ws-6.2.1.tgz</b></p></summary> <p>

<details><summary><b>ws-7.4.5.tgz</b></p></summary>

<p>Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js</p> <p>Library home page: <a href="https://registry.npmjs.org/ws/-/ws-7.4.5.tgz">https://registry.npmjs.org/ws/-/ws-7.4.5.tgz</a></p> <p>Path to dependency file: webpack-mpa-next/package.json</p> <p>Path to vulnerable library: webpack-mpa-next/node_modules/ws</p> <p>

Dependency Hierarchy:

  • browser-sync-2.26.14.tgz (Root Library)
    • browser-sync-ui-2.26.14.tgz
      • socket.io-client-2.4.0.tgz
        • engine.io-client-3.5.2.tgz
          • :x: ws-7.4.5.tgz (Vulnerable Library)

            </details> <details><summary><b>ws-6.2.1.tgz</b></p></summary>

<p>Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js</p> <p>Library home page: <a href="https://registry.npmjs.org/ws/-/ws-6.2.1.tgz">https://registry.npmjs.org/ws/-/ws-6.2.1.tgz</a></p> <p>Path to dependency file: webpack-mpa-next/package.json</p> <p>Path to vulnerable library: webpack-mpa-next/node_modules/ws</p> <p>

Dependency Hierarchy:

  • critical-3.0.1.tgz (Root Library)
    • penthouse-2.3.2.tgz
      • puppeteer-2.1.1.tgz
        • :x: ws-6.2.1.tgz (Vulnerable Library)

          </details>

<p>Found in HEAD commit: <a href="https://github.com/scriptex/webpack-mpa-next/commit/a4662941d1faa6b3e69346d05c16e994341b9f38">a4662941d1faa6b3e69346d05c16e994341b9f38</a></p> </p> </details> <p></p> <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png&#39; width=19 height=20> Vulnerability Details</summary> <p>

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

<p>Publish Date: 2021-05-25 <p>URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2021-32640>CVE-2021-32640</a></p> </p> </details> <p></p> <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png&#39; width=19 height=20> CVSS 3 Score Details (<b>5.3</b>)</summary> <p>

Base Score Metrics:

<p>Type: Upgrade version</p> <p>Origin: <a href="https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693">https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693</a></p> <p>Release Date: 2021-05-25</p> <p>Fix Resolution: ws - 7.4.6</p>

</p> </details> <p></p>


Step up your Open Source Security Game with WhiteSource here


Fund this Issue

$0.00
Funded

Pull requests