Vulnerability Report: GO-2020-0019

CVE-2020-27813, GHSA-3xh2-74w9-5vxm, and 1 more
Affects: github.com/gorilla/websocket
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector.

Affected Packages

Path

Go Versions

Symbols
github.com/gorilla/websocket

before v1.4.1
18 affected symbols

Aliases

CVE-2020-27813
GHSA-3xh2-74w9-5vxm
GHSA-jf24-p9p9-4rjh

References

https://github.com/gorilla/websocket/pull/537
https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37
https://vuln.go.dev/ID/GO-2020-0019.json

Credits

Max Justicz

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL