Reported

September 25, 2023

Issued

September 29, 2023

Package

tungstenite (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2023-43669
• GHSA-9mcr-873m-xcxp

References

• https://github.com/snapview/tungstenite-rs/issues/376

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.20.1

Description

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).

Advisory available under CC0-1.0 license.