RUSTSEC-2020-0043
on 2020-09-25: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
This crate has no reviews yet. To add a review, set up your cargo-crev.
Lib.rs has been able to verify that all files in the crate's tarball, except Cargo.lock,
are in the crate's repository with a git tag matching the version. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.
To review the actual code of the crate, it's best to use cargo crev open ws. Alternatively, you can download the tarball of ws v0.9.2 or view the source online.
Affected versions of this crate did not properly check and cap the growth of the outgoing buffer.
This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.
The flaw was corrected in the
parity-wsfork (>=0.10.0) by disconnecting a client when the buffer runs full.CVE-2020-35896
GHSA-rh7x-ppxx-p34c