CVE-2021-32640 Overview
CVE-2021-32640 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the ws WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server, causing resource exhaustion and potential denial of service conditions.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to degrade WebSocket server performance, potentially causing service disruption for applications relying on the ws library.
Affected Products
- ws_project ws (versions prior to 7.4.6)
- NetApp E-Series Performance Analyzer
Discovery Timeline
- 2021-05-25 - CVE-2021-32640 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32640
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and specifically manifests as a Regular Expression Denial of Service (ReDoS) attack. The issue exists in how the ws library processes the Sec-Websocket-Protocol HTTP header during WebSocket handshake operations.
The vulnerable code uses an inefficient regular expression pattern to parse protocol values from the header. When a maliciously crafted header value is provided, the regex engine enters a catastrophic backtracking state, consuming excessive CPU resources and blocking the event loop. This can render the WebSocket server unresponsive to legitimate connections.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for publicly exposed WebSocket endpoints.
Root Cause
The root cause lies in the original implementation's use of split(/ *, */) to parse the Sec-Websocket-Protocol header. This regex pattern with nested quantifiers is susceptible to catastrophic backtracking when processing specially crafted input strings containing specific patterns of spaces and commas. The regex engine's exponential time complexity when processing malicious input leads to CPU exhaustion.
Attack Vector
An attacker can exploit this vulnerability by sending a WebSocket connection request with a specially crafted Sec-Websocket-Protocol header. The malicious header value is designed to trigger worst-case regex processing behavior, causing the server to spend excessive time parsing the header value. Since Node.js operates on a single-threaded event loop, this effectively blocks all other operations on the server.
The fix replaces the vulnerable regex-based split with a simple split(',').map(trim) approach, eliminating the regex backtracking vulnerability entirely:
let protocol = req.headers['sec-websocket-protocol'];
if (protocol) {
- protocol = protocol.trim().split(/ *, */);
+ protocol = protocol.split(',').map(trim);
//
// Optionally call external protocol selection handler.
Source: GitHub Commit Update
Detection Methods for CVE-2021-32640
Indicators of Compromise
- Abnormally high CPU utilization on Node.js processes running WebSocket servers
- Increased response latency or timeout errors for WebSocket connections
- Multiple incoming connections with unusually long or complex Sec-Websocket-Protocol header values
- Event loop blocking detected in application performance monitoring
Detection Strategies
- Monitor Node.js process CPU usage for sustained spikes during WebSocket handshake operations
- Implement request logging to capture and analyze Sec-Websocket-Protocol header values for suspicious patterns
- Deploy application performance monitoring (APM) tools to detect event loop blocking events
- Use WAF rules to detect and block requests with abnormally long HTTP headers
Monitoring Recommendations
- Configure alerts for Node.js CPU usage exceeding baseline thresholds
- Implement header size monitoring and alerting for WebSocket endpoints
- Enable detailed WebSocket handshake logging in production environments
- Monitor connection establishment times for anomalies indicating processing delays
How to Mitigate CVE-2021-32640
Immediate Actions Required
- Upgrade the ws library to version 7.4.6 or later immediately
- Audit all Node.js applications for ws library dependencies using npm audit or similar tools
- Implement HTTP header size limits as a temporary mitigation measure
- Review and update any affected downstream applications including NetApp E-Series Performance Analyzer
Patch Information
The vulnerability has been fixed in ws version 7.4.6. The fix is available in the official GitHub commit. Users should update their package.json to require ws@^7.4.6 or later and run npm update to apply the fix. Additional details are available in the GitHub Security Advisory.
Workarounds
- Use the --max-http-header-size=size Node.js CLI option to limit maximum HTTP header size
- Configure the maxHeaderSize option when creating HTTP servers to restrict header length
- Implement a reverse proxy with header size restrictions in front of WebSocket servers
- Deploy rate limiting on WebSocket connection endpoints to reduce attack impact
# Configuration example - Limit HTTP header size to reduce attack surface
node --max-http-header-size=8192 your-server.js
# Or configure in code when creating HTTP server
# const server = http.createServer({ maxHeaderSize: 8192 }, requestListener);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
