CVE-2023-45820: 
JavaScript vulnerability analysis and mitigation

CVE-2023-45820 affects Directus, a real-time API and App dashboard for managing SQL database content. The vulnerability was discovered and disclosed on October 19, 2023, affecting versions 10.4 and above of Directus installations with websockets enabled. The issue allows the websocket server to crash when receiving an invalid frame (GitHub Advisory).

The vulnerability stems from improper handling of invalid WebSocket frames. When the websocket server receives an invalid frame, it fails to properly catch and handle the error, resulting in a RangeError with the message 'Invalid WebSocket frame: RSV2 and RSV3 must be clear.' The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector with low complexity (NVD).

When exploited, this vulnerability can cause the Directus server to crash, requiring manual restart if no recovery mechanism is in place. In cloud-hosted environments like directus.cloud, while automatic recovery mechanisms exist, the vulnerability could be exploited for Denial of Service (DoS) attacks by repeatedly sending invalid frames to the server (GitHub Advisory).

The vulnerability has been patched in Directus version 10.6.2. Users are strongly advised to upgrade to this version or later. For users unable to upgrade immediately, the recommended workaround is to disable websockets functionality (GitHub Advisory).