CVE-2022-35922

CVE-2022-35922 is a high-severity uncontrolled resource consumption vulnerability in websocket (rust), affecting versions < 0.26.5. It is fixed in 0.26.5.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Rust-WebSocket memory allocation based on untrusted length

Workarounds

  • Migrate your project to another, maintained Websocket library like Tungstenite.
  • Accept only trusted WebSocket traffic.
  • Filter the WebSocket traffic though some kind of proxy that ensures sanity limits on messages.
  • Handle process aborts gracefully and limit process memory using OS tools.

Credits

This issue was reported by Evan Richter at ForAllSecure and found with Mayhem and Cargo Fuzz.

Impact

Untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server.
The root cause of the issue is during dataframe parsing.
Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source.
When Vec::with_capacity fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use with_capacity, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker.

This is a security concern for you, if

  • your server application handles untrusted websocket connections
  • OR your client application connects to untrusted websocket servers

Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.

CVE-2022-35922 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.26.5); upgrading removes the vulnerable code path.

Affected versions

websocket (< 0.26.5)

Security releases

websocket → 0.26.5 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The crashes are fixed in version 0.26.5 by imposing default dataframe size limits.
Affected users are advised to update to this version.

Note that default memory limits are rather large (100MB dataframes and 200 MB messages), so they can still cause DoS in some environments (i.e. 32-bit). New API has been added to fine tune those limits for specific applications.

Frequently Asked Questions

  1. What is CVE-2022-35922? CVE-2022-35922 is a high-severity uncontrolled resource consumption vulnerability in websocket (rust), affecting versions < 0.26.5. It is fixed in 0.26.5. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
  2. How severe is CVE-2022-35922? CVE-2022-35922 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of websocket are affected by CVE-2022-35922? websocket (rust) versions < 0.26.5 is affected.
  4. Is there a fix for CVE-2022-35922? Yes. CVE-2022-35922 is fixed in 0.26.5. Upgrade to this version or later.
  5. Is CVE-2022-35922 exploitable, and should I be worried? Whether CVE-2022-35922 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-35922 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-35922? Upgrade websocket to 0.26.5 or later.

Stop the waste.
Protect your environment with Kodem.