N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10544

GHSA ID

GHSA-hf5h-hh56-3vrg

EPSS Score

0.55626%

CWE

CWE-400

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10544

CVE-2016-10544: Denial of Service in uws

Affected versions of uws do not properly handle large websocket messages when permessage-deflate is enabled, which may result in a denial of service condition.

If uws recieves a 256Mb websocket message when permessage-deflate is enabled, the server will compress the message prior to executing the length check, and subsequently extract the message prior to processing. This can result in a situation where an excessively large websocket message passes the length checks, yet still gets cast from a Buffer to a string, which will exceed v8's maximum string size and crash the process.

Recommendation

Update to version 0.10.9 or later.

Alternatively, disable permessage-deflate.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10544

GHSA ID

GHSA-hf5h-hh56-3vrg

EPSS Score

0.55626%

CWE

CWE-400

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
uws	npm	>= 0.10.0, <= 0.10.8	0.10.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key flaws: 1) Hub::inflate's lack of decompression size validation before length checks (allowing compressed small payloads to expand beyond limits), and 2) WebSocketImpl's failure to handle inflation errors. The patch adds a 16MB inflation limit in Hub::inflate and error checks in handleFragment, confirming these were the vulnerable points. The functions' roles in decompression and message processing directly align with the described exploit flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `uws` *o not prop*rly **n*l* l*r** w**so*k*t m*ss***s w**n `p*rm*ss***-***l*t*` is *n**l**, w*i** m*y r*sult in * **ni*l o* s*rvi** *on*ition. I* `uws` r**i*v*s * ***M* w**so*k*t m*ss*** w**n `p*rm*ss***-***l*t*` is *n**l**, t**

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*ws: *) `*u*::in*l*t*`'s l**k o* ***ompr*ssion siz* v*li**tion ***or* l*n*t* ****ks (*llowin* *ompr*ss** sm*ll p*ylo**s to *xp*n* **yon* limits), *n* *) `W**So*k*tImpl`'s **ilur* to **n*l* in*l*tion *rrors. T**

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-10544: Denial of Service in uws

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI