{"ecosystem":"pypi","package":"websockets","version":null,"bugs":[{"id":4451,"ecosystem":"pypi","package_name":"websockets","affected_version":null,"fixed_version":"9.1","bug_id":"osv:GHSA-8ch4-58qp-g3mp","title":"Observable Timing Discrepancy in aaugustin websockets library","description":"The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33880","labels":["CVE-2021-33880","PYSEC-2021-95"],"created_at":"2026-04-26 03:00:56.351088+00:00","updated_at":"2026-04-26 03:00:56.351088+00:00"},{"id":4450,"ecosystem":"pypi","package_name":"websockets","affected_version":"4.0","fixed_version":"5.0","bug_id":"osv:GHSA-6g87-ff9q-v847","title":"websockets is vulnerable to denial of service by memory exhaustion","description":"The Python websockets library version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appears to be exploitable via sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in version 5.0","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000518","labels":["CVE-2018-1000518","PYSEC-2018-79"],"created_at":"2026-04-26 03:00:56.348432+00:00","updated_at":"2026-04-26 03:00:56.348432+00:00"},{"id":4453,"ecosystem":"pypi","package_name":"websockets","affected_version":null,"fixed_version":"547a26b685d08cac0aa64e5e65f7867ac0ea9bc0","bug_id":"osv:PYSEC-2021-95","title":"PYSEC-2021-95: advisory","description":"The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0","labels":["CVE-2021-33880","GHSA-8ch4-58qp-g3mp"],"created_at":"2026-04-26 03:00:56.356272+00:00","updated_at":"2026-04-26 03:00:56.356272+00:00"},{"id":4452,"ecosystem":"pypi","package_name":"websockets","affected_version":null,"fixed_version":"5.0","bug_id":"osv:PYSEC-2018-79","title":"PYSEC-2018-79: advisory","description":"aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in 5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/aaugustin/websockets/pull/407","labels":["CVE-2018-1000518","GHSA-6g87-ff9q-v847"],"created_at":"2026-04-26 03:00:56.353685+00:00","updated_at":"2026-04-26 03:00:56.353685+00:00"}],"total":4,"_cache":"hit"}