CVE-2023-43669
HIGHtungstenite < 0.20.1 - Denial of Service via Excessive HTTP Header Length
Title source: llmDescription
The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
References (12)
Core 12
Core References
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2240110
Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1215563
Release Notes
https://crates.io/crates/tungstenite/versions
Technical Description
https://cwe.mitre.org/data/definitions/407.html
Third Party Advisory
https://github.com/advisories/GHSA-9mcr-873m-xcxp
Exploit, Issue Tracking
https://github.com/snapview/tungstenite-rs/issues/376
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2023-43669
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
Scores
CVSS v3
7.5
EPSS
0.0322
EPSS Percentile
87.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (5)
crates.io/tungstenite
0 - 0.20.1crates.io
fedoraproject/fedora
37
fedoraproject/fedora
38
fedoraproject/fedora
39
snapview/tungstenite
< 0.20.0
Published
Sep 21, 2023
Tracked Since
Feb 18, 2026