Security #8586: websocket: MASK flag not validated by direction - Suricata - Open Information Security Foundation

Security #8586

Freshdesk ticket: https://suricata.freshdesk.com/a/tickets/135 
 Freshdesk finding: M-6 
 Freshdesk created: 2026-05-19T17:58:20Z 
 Reporter-stated severity: MEDIUM 

 ## Summary 

 The WebSocket parser accepts any combination of MASK flag and direction. RFC 6455 section 5.1 requires client-to-server frames to be masked and server-to-client frames to not be masked. 

 ## Affected Code 

 Files: `rust/src/websocket/parser.rs:48-97`, `rust/src/websocket/websocket.rs` 

 ## Impact 

 This enables two evasion vectors: 

 1. A server injects masked frames with payload that a real browser would discard; Suricata de-XORs and feeds content to the detector that the client never processes. 
 2. A client sends unmasked frames; Suricata accepts what the real server would close with 1002 Protocol Error. 

 ## Suggested Fix 

 Track connection direction and validate the mask flag accordingly. 

 ## Environment 

 Suricata main branch @ commit 367ca7f (post v8.0.1, May 15, 2026). 

 ## Credit 

 Reported by Chris Ramos.

Back

Project

General

Profile

Suricata

Security #8586