CVE-2016-10544: Denial of Service in uws
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55626%
CWE
Published
9/1/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
uws | npm | >= 0.10.0, <= 0.10.8 | 0.10.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key flaws: 1) Hub::inflate
's lack of decompression size validation before length checks (allowing compressed small payloads to expand beyond limits), and 2) WebSocketImpl
's failure to handle inflation errors. The patch adds a 16MB inflation limit in Hub::inflate
and error checks in handleFragment
, confirming these were the vulnerable points. The functions' roles in decompression and message processing directly align with the described exploit flow.