CVEFinder.io

CVE-2021-32640

🔶 medium
🔍 Scan for this CVE
Summary

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/

Description

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

CVSS Score
5.3
Medium
EPSS Score
0.5
Exploit Probability
Published Date
2021-05-25
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.7% of all 328,009 vulnerabilities in our database.

#263,349
Below average severity
Severity Percentile
Last Modified 2024-11-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE IDs (Weakness Types)
CWE-400

📦 Affected Products 3

Vendor Product Status Affected Versions
ws_project ws Affected
≥ 5.0.0 < 6.2.2
ws_project ws Affected
≥ 7.0.0 < 7.4.6
netapp e-series_performance_analyzer Affected
v-

🔗 References 4

https://github.com/websockets/ws/commit/00c425ec7799...
Patch Third Party Advisory
https://github.com/websockets/ws/security/advisories...
Exploit Mitigation Patch Third Party Advisory
https://lists.apache.org/thread.html/rdfa7b6253c4d62...
https://security.netapp.com/advisory/ntap-20210706-0...
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-45736 🔶 medium 4.4 0.0 ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is v... 2026-05-15
CVE-2022-23491 🔶 medium 6.8 0.1 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verify... 2022-12-07
CVE-2022-45061 ⚠️ high 7.5 0.1 An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing s... 2022-11-09
CVE-2022-31123 🔶 medium 6.1 0.0 Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerab... 2022-10-13
CVE-2021-3999 ⚠️ high 7.8 1.0 A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when th... 2022-08-24
CVE-2022-31097 ⚠️ high 7.3 48.1 Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, ... 2022-07-15
These CVEs affect the same products