Miggo Logo

CVE-2020-7662: Regular Expression Denial of Service in websocket-extensions (NPM package)

8.2

CVSS Score
3.1

Basic Information

EPSS Score
0.59751%
Published
6/5/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
websocket-extensionsnpm< 0.1.40.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the QUOTED regex pattern in parser.js, which was part of the header parsing logic. The key evidence is:

  1. The commit diff shows a critical modification to the QUOTED regex, adding \ to the excluded characters ([^..."\])
  2. The added test case specifically targets unclosed quoted strings with repeated backslash sequences
  3. The vulnerability description explicitly ties the ReDoS to parsing Sec-WebSocket-Extensions headers
  4. CWE-400 (Uncontrolled Resource Consumption) maps directly to the regex backtracking issue
  5. The patch changes how backslashes are handled in quoted strings, resolving the ambiguous parsing that caused exponential time complexity

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** R**oS *l*w *llows *n *tt**k*r to *x**ust t** s*rv*r's **p**ity to pro**ss in*omin* r*qu*sts *y s*n*in* * W**So*k*t **n*s**k* r*qu*st *ont*inin* * *****r o* t** *ollowin* *orm: S**-W**So*k*t-*xt*nsions: *; *="\*\*\*\*\*\*\*\*\*\*

Reasoning

T** vuln*r**ility st*ms *rom t** QUOT** r***x p*tt*rn in p*rs*r.js, w*i** w*s p*rt o* t** *****r p*rsin* lo*i*. T** k*y *vi**n** is: *. T** *ommit *i** s*ows * *riti**l mo*i*i**tion to t** QUOT** r***x, ***in* \\ to t** *x*lu*** ***r**t*rs ([^..."\\]