Memory Allocation Vulnerability in ws Module for WebSocket Functionality
CVE-2016-10518

7.5HIGH

Key Information:

Vendor: Hackerone
Status: Ws Node Module
Vendor: CVE Published:; 31 May 2018

What is CVE-2016-10518?

A vulnerability exists in the ping functionality of the ws module prior to version 1.0.0, allowing clients to exploit memory allocation by sending specially crafted ping frames. When a ping frame is received, the ws module responds with a pong frame containing the original payload. However, the vulnerability arises from the lack of validation for the type of data being sent, leading to incorrect buffer allocation in Node.js. This behavior can potentially be exploited to consume excessive memory resources, impacting the performance and stability of the affected applications.

Affected Version(s)

ws node module <= 1.0.0

References

https://github.com/websockets/ws/releases/tag/1.0.1

x_refsource_MISC

https://nodesecurity.io/advisories/67

x_refsource_MISC

https://gist.github.com/c0nrad/e92005446c480707a74a

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2018
Vulnerability Reserved
Oct 29, 2017

Hackerone

What is CVE-2016-10518?

Affected Version(s)

References

CVSS V3.1

Timeline