Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- espressif / esp-idf= 6.0 – = 6.0
- espressif / esp-idf= 5.5.4 – = 5.5.4
- espressif / esp-idf= 5.4.4 – = 5.4.4
- espressif / esp-idf= 5.3.5 – = 5.3.5
- espressif / esp-idf= 5.2.6 – = 5.2.6
References
- VENDOR_ADVISORYhttps://github.com/espressif/esp-idf/security/advisories/GHSA-3j8v-xgrq-5vg8
- PATCHhttps://github.com/espressif/esp-idf/commit/00a2f7fbbbd8fe6d04729022e1d5c9a49435bfe8
- PATCHhttps://github.com/espressif/esp-idf/commit/0dc4ee7537f3b12350f5966cecacd59bba840ec6
- PATCHhttps://github.com/espressif/esp-idf/commit/37508ab91124ef426a7396d30f79eba1162700c7
- PATCHhttps://github.com/espressif/esp-idf/commit/9fc0ca13b3b85b98d32b98cd9dc8ff9d82642b7b
- PATCHhttps://github.com/espressif/esp-idf/commit/dc46dc51359749e50617eb70d6f9ae298adc4fff
- PATCHhttps://github.com/espressif/esp-idf/commit/f88a47e4f37fb11ae4b0908cd5c80059d83198c6