CVE-2020-7662: Regular Expression Denial of Service in websocket-extensions (NPM package)
8.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59751%
CWE
Published
6/5/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
websocket-extensions | npm | < 0.1.4 | 0.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the QUOTED regex pattern in parser.js, which was part of the header parsing logic. The key evidence is:
- The commit diff shows a critical modification to the QUOTED regex, adding \ to the excluded characters ([^..."\])
- The added test case specifically targets unclosed quoted strings with repeated backslash sequences
- The vulnerability description explicitly ties the ReDoS to parsing Sec-WebSocket-Extensions headers
- CWE-400 (Uncontrolled Resource Consumption) maps directly to the regex backtracking issue
- The patch changes how backslashes are handled in quoted strings, resolving the ambiguous parsing that caused exponential time complexity