Reported

September 25, 2023

Issued

September 29, 2023

Package

tungstenite (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2023-43669
• GHSA-9mcr-873m-xcxp

References

• https://github.com/snapview/tungstenite-rs/issues/376

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.20.1

Description

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).

Advisory available under CC0-1.0 license.