CVE-2024-37890

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Database specific

{
    "cwe_ids": [
        "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37890.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/websockets/ws

Affected ranges

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

22c28763234aa75a7e1b76f5c01c181260d7917f

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4abd8f6de4b0b65ef80b3ff081989479ed93377e

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e55e5106f10fcbaac37cfa89759e4cc0d073a52c

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eeb76d313e2a00dd5247ca3597bba7877d064a63

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

22c28763234aa75a7e1b76f5c01c181260d7917f

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4abd8f6de4b0b65ef80b3ff081989479ed93377e

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e55e5106f10fcbaac37cfa89759e4cc0d073a52c

Type: GIT
Repo: https://github.com/websockets/ws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eeb76d313e2a00dd5247ca3597bba7877d064a63

Affected versions

0.*

0.4.32

0.5.0

0.6

0.6.2

0.6.3

0.6.4

0.6.5

0.7

0.7.1

0.7.2

0.8.0

0.8.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1

2.*

2.0.0

2.0.0-beta.0

2.0.0-beta.1

2.0.0-beta.2

2.0.1

2.0.2

2.0.3

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.3.1

3.*

3.0.0

3.1.0

3.2.0

3.3.0

3.3.1

3.3.2

3.3.3

4.*

4.0.0

4.1.0

5.*

5.0.0

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

6.*

6.0.0

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.2.0

6.2.1

6.2.2

7.*

7.0.0

7.0.1

7.1.0

7.1.1

7.1.2

7.2.0

7.2.1

7.2.2

7.2.3

7.2.4

7.2.5

7.3.0

7.3.1

7.4.0

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

7.5.0

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

7.5.8

7.5.9

8.*

8.0.0

8.1.0

8.10.0

8.11.0

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.14.2

8.15.0

8.15.1

8.16.0

8.17.0

8.2.0

8.2.1

8.2.2

8.2.3

8.3.0

8.4.0

8.4.1

8.4.2

8.5.0

8.6.0

8.7.0

8.8.0

8.8.1

8.9.0

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.1.0

v0.1.1

v0.1.2

v0.2.0

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.4-2

v0.3.5

v0.3.5-2

v0.3.5-3

v0.3.5-4

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.10

v0.4.11

v0.4.12

v0.4.13

v0.4.14

v0.4.15

v0.4.16

v0.4.17

v0.4.18

v0.4.19

v0.4.2

v0.4.20

v0.4.21

v0.4.22

v0.4.23

v0.4.24

v0.4.25

v0.4.26

v0.4.27

v0.4.28

v0.4.29

v0.4.3

v0.4.30

v0.4.31

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-37890.json"