GHSA-4pcg-wr6c-h9cq

Suggest an improvement
Source
https://github.com/advisories/GHSA-4pcg-wr6c-h9cq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-4pcg-wr6c-h9cq/GHSA-4pcg-wr6c-h9cq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4pcg-wr6c-h9cq
Aliases
Published
2022-11-07T21:13:57Z
Modified
2023-11-08T04:10:20.592717Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
fastify/websocket vulnerable to uncaught exception via crash on malformed packet
Details

Impact

Any application using @fastify/websocket could crash if a specific, malformed packet is sent.

All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched.

Patches

This has been patched in v7.1.1 (fastify v4) and v5.0.1 (fastify v3).

Workarounds

No known workaround is available. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

Credits

marcolanaro for finding and patching this vulnerability

For more information

If you have any questions or comments about this advisory: * Open an issue in @fastify/websocket * Email us at hello@matteocollina.com

References

Affected packages

npm / @fastify/websocket

Package

Name
@fastify/websocket
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/websocket

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.0.1

npm / @fastify/websocket

Package

Name
@fastify/websocket
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/websocket

Affected ranges

Type
SEMVER
Events
Introduced
6.0.0
Fixed
7.1.1

npm / fastify-websocket

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
4.3.0