CVE-2016-10544

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-10544
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10544.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-10544
Aliases
Published
2018-05-31T20:29:01Z
Modified
2024-09-03T01:04:19.056388Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.

References

Affected packages

Git / github.com/unetworking/uwebsockets

Affected ranges

Type
GIT
Repo
https://github.com/unetworking/uwebsockets
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1.0
v0.10.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0