Affected versions of `nes` are vulnerable to denial of service when given an invalid `cookie` header, and websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to throw and exit.

## Recommendation

Update to version 6.4.1 or later.

Affected Packages

npm nes

Affected versions: 0 (fixed in 6.4.1)

Related CVEs

CVE-2017-16025

Key Information

GHSA ID

GHSA-3pwh-5mmc-mwrx

Published

July 24, 2018 8:06 PM

Last Modified

August 31, 2020 6:19 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

nes

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.