Denial of Service (DoS)

Affecting nes package, versions <6.4.1

high severity

Overview

nes adds native WebSocket support to hapi-based application servers.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. An attacker may craft an invalid cookie header, causing the node server to crash.

Note: This issue occurs only when websocket authentication is set to cookie.

Remediation

Upgrade nes to version 6.4.1 or higher.

References

Credit
iipokypatop
CWE
CWE-400
Snyk ID
npm:nes:20170127
Disclosed
27 Jan, 2017
Published
16 Apr, 2017

Do your applications use this vulnerable package?