CVE-2016-10544
MEDIUMuws 0.10.0-0.10.8 - Denial of Service via WebSocket Message Decompression
Title source: llmDescription
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/149
Scores
CVSS v3
5.9
EPSS
0.0134
EPSS Percentile
67.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
CWE-400
Status
published
Products (2)
npm/uws
0.10.0 - 0.10.9npm
uws_project/uws
0.10.0 - 0.10.8
Published
May 31, 2018
Tracked Since
Feb 18, 2026