{"id":"CVE-2021-32640","details":"ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.","aliases":["GHSA-6fc8-4gx4-v693"],"modified":"2026-03-15T14:41:10.839639Z","published":"2021-05-25T19:15:07.767Z","related":["GHSA-6fc8-4gx4-v693"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210706-0005/"},{"type":"FIX","url":"https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"},{"type":"FIX","url":"https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/websockets/ws","events":[{"introduced":"d3af50627de62b0d8b9c42d915e8c6a426238363"},{"fixed":"9bdb58070d64c33a9beeac7c732aac0f4e7e18b7"},{"introduced":"092a822a41eb22f6d6745c18bc29b9c40715680f"},{"fixed":"f5297f7090f6a628832a730187c5b3a06a247f00"},{"fixed":"00c425ec77993773d823f018f64a5c44e17023ff"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"6.2.2"},{"introduced":"7.0.0"},{"fixed":"7.4.6"}]}}],"versions":["5.0.0","5.1.0","5.1.1","5.2.0","5.2.1","6.0.0","6.1.0","6.1.1","6.1.2","6.1.3","6.1.4","6.2.0","6.2.1","7.0.0","7.0.1","7.1.0","7.1.1","7.1.2","7.2.0","7.2.1","7.2.2","7.2.3","7.2.4","7.2.5","7.3.0","7.3.1","7.4.0","7.4.1","7.4.2","7.4.3","7.4.4","7.4.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32640.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}