CVE-2016-10544
Denial of Service in uws
描述
Affected versions of `uws` do not properly handle large websocket messages when `permessage-deflate` is enabled, which may result in a denial of service condition. If `uws` recieves a 256Mb websocket message when `permessage-deflate` is enabled, the server will compress the message prior to executing the length check, and subsequently extract the message prior to processing. This can result in a situation where an excessively large websocket message passes the length checks, yet still gets cast from a Buffer to a string, which will exceed v8's maximum string size and crash the process. ## Recommendation Update to version 0.10.9 or later. Alternatively, disable `permessage-deflate`.
如何修補 CVE-2016-10544
要修補 CVE-2016-10544,請將受影響套件升級到下列已修補版本。
- —升級至 0.10.9 或更新版本
CVE-2016-10544 正在被利用嗎?
低 — EPSS 為 1.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 0.10.0, < 0.10.9