CVE-2016-10544

Description

Affected versions of `uws` do not properly handle large websocket messages when `permessage-deflate` is enabled, which may result in a denial of service condition. If `uws` recieves a 256Mb websocket message when `permessage-deflate` is enabled, the server will compress the message prior to executing the length check, and subsequently extract the message prior to processing. This can result in a situation where an excessively large websocket message passes the length checks, yet still gets cast from a Buffer to a string, which will exceed v8's maximum string size and crash the process. ## Recommendation Update to version 0.10.9 or later. Alternatively, disable `permessage-deflate`.

How to fix CVE-2016-10544

To remediate CVE-2016-10544, upgrade the affected package to a fixed version below.

• —upgrade to 0.10.9 or later

Is CVE-2016-10544 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.10.0, < 0.10.9

References (3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10544
• WEBgithub.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9
• WEBwww.npmjs.com/advisories/149