ws: WebSocket Client and Server Vulnerability
CVE-2024-37890

7.5HIGH

Key Information:

Vendor

Websockets

Status
Ws
Vendor
CVE Published:
17 June 2024

What is CVE-2024-37890?

The ws library, an open-source WebSocket client and server for Node.js, is susceptible to a vulnerability that can lead to server crashes when excessive headers are sent in a request. When headers exceed the threshold defined by server.maxHeadersCount, the server may become unresponsive. This issue has been addressed in ws@8.17.1 and has been backported to earlier versions such as ws@7.5.10, ws@6.2.3, and ws@5.2.4. To mitigate the vulnerability in the affected versions, administrators can adjust the maximum allotted header size by utilizing the --max-http-header-size option or the maxHeaderSize property. Alternatively, setting server.maxHeadersCount to 0 removes any limit on the number of headers processed, although this is not recommended due to potential security implications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ws >= 2.1.0, < 5.2.4 < 2.1.0, 5.2.4

ws >= 6.0.0, < 6.2.3 < 6.0.0, 6.2.3

ws >= 7.0.0, < 7.5.10 < 7.0.0, 7.5.10

References

https://github.com/websockets/ws/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/websockets/ws/issues/2230
x_refsource_MISC
https://github.com/websockets/ws/pull/2231
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.