Quick-and-dirty fix for CVE-2023-43669 by agalakhov · Pull Request #379 · snapview/tungstenite-rs

agalakhov · 2023-09-22T15:56:21Z

This adds header limits in order to reject suspicious requests.

It were much better to use single-pass header parsing instead. Unfortunately, httparse does not support it yet and none of its alternatives is mature enough.

daniel-abramov

Thanks for tackling this issue! I've left a couple of minor comments, but overall it looks good for a quick fix!

Co-authored-by: Daniel Abramov <inetcrack2@gmail.com>

Quick-and-dirty fix for CVE-2023-43669

Add AttackAttempt error variant

f916b33

agalakhov added the bug label Sep 22, 2023

agalakhov requested a review from daniel-abramov September 22, 2023 15:56

agalakhov force-pushed the CVE-2023-43669 branch from 2bc3d85 to f204f1b Compare September 22, 2023 15:57

daniel-abramov approved these changes Sep 22, 2023

View reviewed changes

Comment thread src/error.rs

Comment thread src/handshake/machine.rs Outdated

Comment thread src/handshake/machine.rs

Comment thread src/handshake/machine.rs Outdated

Comment thread src/handshake/machine.rs Outdated

Comment thread src/handshake/machine.rs

agalakhov and others added 2 commits September 23, 2023 02:16

Add checking for header sanity

2e50292

Co-authored-by: Daniel Abramov <inetcrack2@gmail.com>

Bump crate version

f0f1a06

agalakhov force-pushed the CVE-2023-43669 branch from c574f50 to f0f1a06 Compare September 23, 2023 00:16

agalakhov merged commit 219075e into master Sep 23, 2023

agalakhov deleted the CVE-2023-43669 branch September 23, 2023 00:33

bayandin mentioned this pull request Sep 23, 2023

[GHSA-9mcr-873m-xcxp] Add fixed version github/advisory-database#2752

Merged

This was referenced Sep 24, 2023

update fe2o3-amqp-ws to 0.4.0 minghuaw/azure-sdk-for-rust#29

Merged

updated fe2o3-amqp-ws to 0.4.0 minghuaw/azure-sdk-for-rust#30

Merged

criminosis mentioned this pull request Dec 11, 2023

chore: release wolf4ood/gremlin-rs#193

Merged

takumi-earth pushed a commit to earthlings-dev/tungstenite-rs that referenced this pull request Jan 27, 2026

Merge pull request snapview#379 from snapview/CVE-2023-43669

b1aaa2e

Quick-and-dirty fix for CVE-2023-43669

0-jake-0 mentioned this pull request Feb 16, 2026

Security: Upgrade tungstenite to fix CVE-2023-43669 DoS vulnerability wingfoil-io/wingfoil#98

Closed

6 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Quick-and-dirty fix for CVE-2023-43669#379

Quick-and-dirty fix for CVE-2023-43669#379
agalakhov merged 3 commits intomasterfrom
CVE-2023-43669

agalakhov commented Sep 22, 2023

Uh oh!

daniel-abramov left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

agalakhov commented Sep 22, 2023

Uh oh!

daniel-abramov left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants