CVE-2024-37890

2024-06-1720:15:13

CWE-476

[email protected]

web.nvd.nist.gov

cve-2024-37890

node.js

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

13.1%

JSON

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Affected configurations

Vulners

Node

websocketswsRange2.1.0–5.2.4

websocketswsRange6.0.0–6.2.3

websocketswsRange7.0.0–7.5.10

websocketswsRange8.0.0–8.17.1

CNA Affected

[
  {
    "vendor": "websockets",
    "product": "ws",
    "versions": [
      {
        "version": ">= 2.1.0, < 5.2.4",
        "status": "affected"
      },
      {
        "version": ">= 6.0.0, < 6.2.3",
        "status": "affected"
      },
      {
        "version": ">= 7.0.0, < 7.5.10",
        "status": "affected"
      },
      {
        "version": ">= 8.0.0, < 8.17.1",
        "status": "affected"
      }
    ]
  }
]