CVE-2020-36406

HIGH

uWebSockets 18.11.0 and 18.12.0 - Stack-based Buffer Overflow in TopicTree

Title source: llm

Description

uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in uWS::TopicTree::trimTree (called from uWS::TopicTree::unsubscribeAll). NOTE: the vendor's position is that this is "a minor issue or not even an issue at all" because the developer of an application (that uses uWebSockets) should not be allowing the large number of triggered topics to accumulate

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/uwebsockets/OSV-2020-1695.yaml

View Writeup ZIP pw:eip

Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25381

Patch, Third Party Advisory x_refsource_misc

https://github.com/uNetworking/uWebSockets/commit/03fca626a95130ab80f86adada54b29d27242759

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0152

EPSS Percentile 71.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (2)

uwebsockets_project/uwebsockets 18.11.0

uwebsockets_project/uwebsockets 18.12.0

Published Jul 01, 2021

Tracked Since Feb 18, 2026