CVE-2022-35922: Rust-WebSocket memory allocation based on untrusted length
Untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server.
The root cause of the issue is during dataframe parsing.
Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source.
When Vec::with_capacity
fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use with_capacity
, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker.
This is a security concern for you, if
- your server application handles untrusted websocket connections
- OR your client application connects to untrusted websocket servers
References
- github.com/advisories/GHSA-qrjv-rf5q-qpxc
- github.com/websockets-rs/rust-websocket
- github.com/websockets-rs/rust-websocket/commit/cbf6e9983e839d2ecad86de8cd1b3f20ed43390b
- github.com/websockets-rs/rust-websocket/security/advisories/GHSA-qrjv-rf5q-qpxc
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V2EOOU5OLEHVMKAH6BALQXKDKIZRXCI
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYPNCM4H4OFBIZI6XMJ2DUTS54FT2TWP
- nvd.nist.gov/vuln/detail/CVE-2022-35922
- rustsec.org/advisories/RUSTSEC-2022-0035.html
Detect and mitigate CVE-2022-35922 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →