CVE-2016-10544 in uws
Summary
by MITRE
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/17/2023
The vulnerability identified as CVE-2016-10544 represents a critical memory exhaustion issue within the uws WebSocket server library, specifically affecting versions between 0.10.0 and 0.10.8. This flaw exploits the permessage-deflate compression feature that is commonly enabled in WebSocket implementations to reduce bandwidth usage. The vulnerability stems from an inadequate validation mechanism that fails to account for the potential discrepancy between compressed and decompressed data sizes during WebSocket message processing.
The technical implementation of this vulnerability leverages the inherent properties of compression algorithms where highly compressible data can be reduced to a fraction of its original size. In this case, a 256 megabyte WebSocket message when compressed using the permessage-deflate mechanism can be reduced to less than 16 megabytes, which passes the initial payload length validation check. However, when the system attempts to decompress this data back to its original size, the decompression process triggers a memory allocation that exceeds V8's maximum string size limit, causing the Node.js process to crash. This represents a classic example of a resource exhaustion attack that exploits the difference between compressed and uncompressed data representations.
The operational impact of this vulnerability extends beyond simple service disruption, as it creates a potential denial of service condition that can be exploited by remote attackers without authentication. The vulnerability affects any system running uws versions within the specified range that have permessage-deflate compression enabled, making it particularly dangerous in production environments where WebSocket services are critical. The crash occurs at the V8 JavaScript engine level, meaning that the entire Node.js process terminates, potentially affecting multiple concurrent connections and leaving the service unavailable to legitimate users.
This vulnerability aligns with CWE-400, which addresses unchecked resource exhaustion, and demonstrates characteristics consistent with attack patterns documented in the MITRE ATT&CK framework under the T1499 category for network denial of service. The flaw essentially creates a condition where an attacker can manipulate the compression and decompression cycle to force memory allocation beyond system limits, making it a sophisticated form of resource exhaustion attack that requires understanding of both the WebSocket protocol implementation and the underlying JavaScript engine limitations.
Organizations affected by this vulnerability should immediately upgrade to uws version 0.10.9 or later, where the issue has been resolved through improved input validation and more robust handling of compressed data sizes. Additionally, administrators should consider disabling permessage-deflate compression if the service does not require it, or implement additional monitoring to detect unusual memory consumption patterns. The fix typically involves implementing proper bounds checking that accounts for the maximum possible decompressed size before processing compressed data, ensuring that the system can handle the worst-case scenario without exhausting available memory resources.