XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows…
XX-Net V5.16.6 has a flaw in its WebSocket frame parsing within `simple_http_server.py`. The server incorrectly reads 4 bytes as a masking key even when a WebSocket frame is unmasked, corrupting the first part of the payload. This leads to improper XOR-decoding of the remaining data and lacks proper validation for RSV, opcode, and FIN bits.
XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.
Users of XX-Net V5.16.6 face a medium risk of data corruption, as attackers can send specially crafted unmasked WebSocket frames to exploit a parsing vulnerability, leading to incorrect decoding of application data.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0
Affected Products
4
References
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability
Impact