CVE-2020-7693: Unauthenticated Denial of Service (DoS) in SockJS <0.3.20 Node apps

Description #

SockJS v0.3.19 calls res.end instead of res.write when receiving websocket upgrade requests. This causes an Error [ERR_STREAM_WRITE_AFTER_END]: write after end, which crashes the container running the app utilising the vulnerable SockJS.

Vulnerable versions affected:

• Meteor JS <1.10.2 which use SockJS 0.3.19
• SockJS 0.3.19

Exploit PoC #

See the GitHub repo: https://github.com/sussition/sockjs-dos-py

Remediation #

Update SockJS to 0.3.20

References #

• https://snyk.io/vuln/SNYK-JS-SOCKJS-575261
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7693
• https://cwe.mitre.org/data/definitions/400.html