Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/33824?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33824?format=api", "vulnerability_id": "VCID-gg1m-2vwq-euet", "summary": "Regular Expression Denial of Service in websocket-extensions (NPM package)\n### Impact\n\nThe ReDoS flaw allows an attacker to exhaust the server's capacity to process\nincoming requests by sending a WebSocket handshake request containing a header\nof the following form:\n\n Sec-WebSocket-Extensions: a; b=\"\\c\\c\\c\\c\\c\\c\\c\\c\\c\\c ...\n\nThat is, a header containing an unclosed string parameter value whose content is\na repeating two-byte sequence of a backslash and some other character. The\nparser takes exponential time to reject this header as invalid, and this will\nblock the processing of any other work on the same thread. Thus if you are\nrunning a single-threaded server, such a request can render your service\ncompletely unavailable.\n\n### Patches\n\nUsers should upgrade to version 0.1.4.\n\n### Workarounds\n\nThere are no known work-arounds other than disabling any public-facing\nWebSocket functionality you are operating.\n\n### References\n\n- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/", "aliases": [ { "alias": "CVE-2020-7662" }, { "alias": "GHSA-g78m-2chm-r7qv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73502?format=api", "purl": "pkg:npm/websocket-extensions@0.1.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/websocket-extensions@0.1.4" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/207078?format=api", "purl": "pkg:npm/websocket-extensions@0.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gg1m-2vwq-euet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/websocket-extensions@0.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/207079?format=api", "purl": "pkg:npm/websocket-extensions@0.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gg1m-2vwq-euet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/websocket-extensions@0.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/207080?format=api", "purl": "pkg:npm/websocket-extensions@0.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gg1m-2vwq-euet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/websocket-extensions@0.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/207081?format=api", "purl": "pkg:npm/websocket-extensions@0.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gg1m-2vwq-euet" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/websocket-extensions@0.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/102969?format=api", "purl": "pkg:rpm/redhat/servicemesh-grafana@6.2.2-38?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9s34-1nd8-f7ee" }, { "vulnerability": "VCID-drfs-tub9-zqgg" }, { "vulnerability": "VCID-ed2w-eexq-kuam" }, { "vulnerability": "VCID-fph7-rrjp-uqa1" }, { "vulnerability": "VCID-gg1m-2vwq-euet" }, { "vulnerability": "VCID-j6nn-jkc5-k3f6" }, { "vulnerability": "VCID-k6ny-gfg9-8ugd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/servicemesh-grafana@6.2.2-38%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/102970?format=api", "purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-11?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3cbb-ghjz-fyhn" }, { "vulnerability": "VCID-9s34-1nd8-f7ee" }, { "vulnerability": "VCID-drfs-tub9-zqgg" }, { "vulnerability": "VCID-ed2w-eexq-kuam" }, { "vulnerability": "VCID-fph7-rrjp-uqa1" }, { "vulnerability": "VCID-gg1m-2vwq-euet" }, { "vulnerability": "VCID-j6nn-jkc5-k3f6" }, { "vulnerability": "VCID-k6ny-gfg9-8ugd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/servicemesh-grafana@6.4.3-11%3Farch=el8" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7662.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7662.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-7662", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53734", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53643", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53692", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53675", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53658", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53696", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.537", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53683", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53646", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53623", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53575", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53622", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53673", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53636", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53661", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53573", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53596", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53624", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53593", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.53645", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-7662" }, { "reference_url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions" }, { "reference_url": "https://github.com/faye/websocket-extensions-node", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/websocket-extensions-node" }, { "reference_url": "https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237" }, { "reference_url": "https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7662", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7662" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845982", "reference_id": "1845982", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845982" }, { "reference_url": "https://github.com/advisories/GHSA-g78m-2chm-r7qv", "reference_id": "GHSA-g78m-2chm-r7qv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g78m-2chm-r7qv" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:2796", "reference_id": "RHSA-2020:2796", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:2796" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:2861", "reference_id": "RHSA-2020:2861", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:2861" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:4298", "reference_id": "RHSA-2020:4298", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "weaknesses": [ { "cwe_id": 400, "name": "Uncontrolled Resource Consumption", "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." }, { "cwe_id": 20, "name": "Improper Input Validation", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gg1m-2vwq-euet" }