CVE-2016-10544: Improper Input Validation

September 1, 2020 (updated January 8, 2021)

uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8’s maximum string size. This affects uws >=0.10.0 <=0.10.8.

References

github.com/advisories/GHSA-hf5h-hh56-3vrg
github.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9
nodesecurity.io/advisories/149
nvd.nist.gov/vuln/detail/CVE-2016-10544
www.npmjs.com/advisories/149

Code Behaviors & Features

Detect and mitigate CVE-2016-10544 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →