CVE-2016-10542

HIGH

WS < 1.1.0 - Denial of Service

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-10542. PoCs published by Ryan Knell, Sonatype Security Research, Nick Starke, Sonatype Security Research, including Metasploit module auxiliary/dos/http/ws_dos.

AI-analyzed exploit summary This Metasploit module exploits a Denial of Service (DoS) vulnerability in the npm 'ws' module by sending a crafted WebSocket upgrade request with a malicious 'Sec-WebSocket-Extensions' header value. The exploit triggers a crash in the target service by including the string 'constructor' in the header.

Description

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

Exploits (1)

metasploit WORKING POC
by Ryan Knell, Sonatype Security Research, Nick Starke, Sonatype Security Research · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/ws_dos.rb

This Metasploit module exploits a Denial of Service (DoS) vulnerability in the npm 'ws' module by sending a crafted WebSocket upgrade request with a malicious 'Sec-WebSocket-Extensions' header value. The exploit triggers a crash in the target service by including the string 'constructor' in the header.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: npm module 'ws' (versions affected by CVE-2016-10542)
No auth needed
Prerequisites: Network access to the target service · Target service using vulnerable 'ws' module
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/nodejs/node/issues/7388
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/120

Scores

CVSS v3 7.5
EPSS 0.6607
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20 CWE-400
Status published
Products (2)
npm/ws 0 - 1.1.1npm
ws_project/ws < 1.1.0
Published May 31, 2018
Tracked Since Feb 18, 2026