CVE-2020-36406

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-36406

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36406.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-36406

Published

2021-07-01T03:15:08Z

Modified

2026-04-11T23:34:05.677188Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in uWS::TopicTree::trimTree (called from uWS::TopicTree::unsubscribeAll). NOTE: the vendor's position is that this is "a minor issue or not even an issue at all" because the developer of an application (that uses uWebSockets) should not be allowing the large number of triggered topics to accumulate

References

Affected packages

Git / github.com/unetworking/uwebsockets

Affected ranges

Type: GIT
Repo: https://github.com/unetworking/uwebsockets
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

03fca626a95130ab80f86adada54b29d27242759

Type

GIT

Repo

https://github.com/unetworking/uwebsockets.js

Events

Introduced

Last affected

bd720c90ff8b90f478d918c1cbe3f1dcbc3a765b

Introduced

Last affected

8cf8b315f10a31428c007b954f10e8c577858e6f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "18.11.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "18.12.0"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.8

v0.0.9

v0.1.0

v0.15

v0.15.1

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.15.7

v0.15a1

v0.15a2

v0.15a3

v0.15a4

v0.15a5

v0.15b1

v0.15b2

v0.15b3

v0.15rc1

v0.15rc2

v0.15rc3

v0.15rc4

v0.15rc5

v0.16.0

v0.16.0a1

v0.16.0a2

v0.16.0a3

v0.16.0a4

v0.16.0a5

v0.16.0a6

v0.16.0b1

v0.16.0b2

v0.16.0b3

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.17.0

v0.17.0a1

v0.17.0a3

v0.17.0a4

v0.17.0a5

v0.17.0rc1

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.17.6

v0.17a2

v0.2.0

v0.2.1

Other

v015b4

v15.*

v15.0.0

v15.1.0

v15.10.0

v15.11.0

v15.2.0

v15.3.0

v15.4.0

v15.5.0

v15.6.0

v15.7.0

v15.8.0

v15.9.0

v16.*

v16.0.0

v16.1.0

v16.2.0

v16.3.0

v16.4.0

v16.5.0

v17.*

v17.0.0

v17.1.0

v17.2.0

v17.3.0

v17.4.0

v17.5.0

v17.6.0

v18.*

v18.0.0

v18.1.0

v18.10.0

v18.11.0

v18.12.0

v18.2.0

v18.3.0

v18.4.0

v18.5.0

v18.6.0

v18.7.0

v18.8.0

v18.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36406.json"

vanir_signatures_modified

"2026-04-11T23:34:05Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "242400160302654976838636114013130348944",
                "295049045437580870781025044026275397401",
                "287117170082526816664863920027744284270",
                "223722998559477343369752829430767293699",
                "171000385846438931233831831140994366759",
                "190018631035813668823721045046569962237",
                "29213114836601412550040752566803033794",
                "140189795200095490648337107716233098455",
                "170518001614071505926682638890178875412",
                "22465007570477456448114770113492147535",
                "60726238287194210456697155178093995689",
                "301298859497915507458384854415144095244",
                "29908992328291758395176597937319127089",
                "4624316714275193198802077167589379233"
            ]
        },
        "source": "https://github.com/unetworking/uwebsockets/commit/03fca626a95130ab80f86adada54b29d27242759",
        "id": "CVE-2020-36406-2b07523f",
        "signature_type": "Line",
        "target": {
            "file": "src/TopicTree.h"
        }
    }
]