websockets is vulnerable to denial of service by memory exhaustion
High severity
GitHub Reviewed
Published
Sep 17, 2018
to the GitHub Advisory Database
•
Updated Nov 19, 2024
Description
Published by the National Vulnerability Database
Jun 26, 2018
Published to the GitHub Advisory Database
Sep 17, 2018
Reviewed
Jun 16, 2020
Last updated
Nov 19, 2024
The Python websockets library version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appears to be exploitable via sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in version 5.0
References