krisstanton
commented
1 month ago Items with root of @cumulus can only be handled by the Core Team.
This item should be fixed during the next upgrade which will happen during this PI.
Also, the DoS is not an issue for us because most of the infrastructure is behind multiple security walls and the requests get stopped at the AWS level, (before this javascript executes).
Introduced through @cumulus/common@18.2.0 and @cumulus/cmrjs@18.2.0 Fixed in ws@5.2.4, @6.2.3, @7.5.10, @8.17.1 Exploit maturity Proof of Concept Show less detail Detailed paths Introduced through: csdap-cumulus@1.0.0 › @cumulus/common@18.2.0 › @aws-sdk/signature-v4-crt@3.575.0 › aws-crt@1.21.0 › @httptoolkit/websocket-stream@6.0.1 › ws@8.16.0 Fix: No remediation path available. Introduced through: csdap-cumulus@1.0.0 › @cumulus/common@18.2.0 › @aws-sdk/signature-v4-crt@3.575.0 › aws-crt@1.21.0 › mqtt@4.3.8 › ws@7.5.9 Fix: No remediation path available. Introduced through: csdap-cumulus@1.0.0 › @cumulus/cmrjs@18.2.0 › @cumulus/cmr-client@18.2.0 › @cumulus/common@18.2.0 › @aws-sdk/signature-v4-crt@3.575.0 › aws-crt@1.21.0 › @httptoolkit/websocket-stream@6.0.1 › ws@8.16.0 Fix: No remediation path available. …and 1 more
Security information Factors contributing to the scoring: Snyk: CVSS v3.1 7.5 - High Severity NVD: Not available. NVD has not yet published its analysis. Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview ws is a simple to use websocket client, server and console for node.js.
Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.