8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7662

GHSA ID

GHSA-g78m-2chm-r7qv

EPSS Score

0.59751%

CWE

CWE-400

Published

6/5/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7662

CVE-2020-7662:
Regular Expression Denial of Service in websocket-extensions (NPM package)

Impact

The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form:

Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...

That is, a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. The parser takes exponential time to reject this header as invalid, and this will block the processing of any other work on the same thread. Thus if you are running a single-threaded server, such a request can render your service completely unavailable.

Patches

Users should upgrade to version 0.1.4.

Workarounds

There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.

References

https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7662

GHSA ID

GHSA-g78m-2chm-r7qv

EPSS Score

0.59751%

CWE

CWE-400

Published

6/5/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
websocket-extensions	npm	< 0.1.4	0.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the QUOTED regex pattern in parser.js, which was part of the header parsing logic. The key evidence is:

The commit diff shows a critical modification to the QUOTED regex, adding \ to the excluded characters ([^..."\])
The added test case specifically targets unclosed quoted strings with repeated backslash sequences
The vulnerability description explicitly ties the ReDoS to parsing Sec-WebSocket-Extensions headers
CWE-400 (Uncontrolled Resource Consumption) maps directly to the regex backtracking issue
The patch changes how backslashes are handled in quoted strings, resolving the ambiguous parsing that caused exponential time complexity

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** R**oS *l*w *llows *n *tt**k*r to *x**ust t** s*rv*r's **p**ity to pro**ss in*omin* r*qu*sts *y s*n*in* * W**So*k*t **n*s**k* r*qu*st *ont*inin* * *****r o* t** *ollowin* *orm: S**-W**So*k*t-*xt*nsions: *; *="\*\*\*\*\*\*\*\*\*\*

Reasoning

T** vuln*r**ility st*ms *rom t** QUOT** r***x p*tt*rn in p*rs*r.js, w*i** w*s p*rt o* t** *****r p*rsin* lo*i*. T** k*y *vi**n** is: *. T** *ommit *i** s*ows * *riti**l mo*i*i**tion to t** QUOT** r***x, ***in* \\ to t** *x*lu*** ***r**t*rs ([^..."\\]

8.2

Basic Information

Concerned about an active attack path?

CVE-2020-7662: Regular Expression Denial of Service in websocket-extensions (NPM package)

Impact

Patches

Workarounds

References

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-7662:
Regular Expression Denial of Service in websocket-extensions (NPM package)

Vulnerability Intelligence
Miggo AI