CVE-2016-10544
Last modified
CVE-2016-10544 is a vulnerability of currently unknown severity. uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. EPSS estimates a 1.34% chance of exploitation in the next 30 days.
Description
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Uws Project | Uws | >= 0.10.0, <= 0.10.8 |
References
- https://github.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9Patch, Third Party Advisory
- https://nodesecurity.io/advisories/149Third Party Advisory
- https://github.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9Patch, Third Party Advisory
- https://nodesecurity.io/advisories/149Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-10544?
How severe is CVE-2016-10544?
How do I fix CVE-2016-10544?
Are you affected by CVE-2016-10544?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST