websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-06-02T18:25:01

Updated: 2024-08-04T09:33:20.058Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7663

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-06-02T19:15:12.467

Modified: 2024-11-21T05:37:33.930

Link: CVE-2020-7663

cve-icon Redhat

Severity : Important

Publid Date: 2020-06-02T00:00:00Z

Links: CVE-2020-7663 - Bugzilla