UBUNTU-CVE-2024-37890

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-37890

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-37890.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-37890

Upstream

CVE-2024-37890

Published

2024-06-17T20:15:00Z

Modified

2025-07-14T07:02:09.823404Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

References

Affected packages

Ubuntu:Pro:16.04:LTS / node-ws

Package

Name: node-ws
Purl: pkg:deb/ubuntu/node-ws@1.0.1+ds1.e6ddaae4-1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.2+ds1.349b7460-1

1.*

1.0.1+ds1.e6ddaae4-1

Ubuntu:Pro:18.04:LTS / node-ws

Package

Name: node-ws
Purl: pkg:deb/ubuntu/node-ws@1.1.0+ds1.e6ddaae4-3ubuntu1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.0+ds1.e6ddaae4-3build1

1.1.0+ds1.e6ddaae4-3ubuntu1

Ubuntu:Pro:20.04:LTS / node-ws

Package

Name: node-ws
Purl: pkg:deb/ubuntu/node-ws@7.2.1-3?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.0+ds1.e6ddaae4-5

7.*

7.2.1-2

7.2.1-3

Ubuntu:22.04:LTS / node-ws

Package

Name: node-ws
Purl: pkg:deb/ubuntu/node-ws@8.5.0+~cs13.3.3-2?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.4.2+~cs18.0.8-2

7.5.5+~cs13.0.13-1

8.*

8.5.0+~cs13.3.3-2

Ubuntu:24.04:LTS / node-ws

Package

Name: node-ws
Purl: pkg:deb/ubuntu/node-ws@8.11.0+~cs13.7.3-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.11.0+~cs13.7.3-1

8.11.0+~cs13.7.3-2

Ubuntu:25.04 / node-ws

Package

Name: node-ws
Purl: pkg:deb/ubuntu/node-ws@8.18.0+~cs14.5.15-1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.18.0+~cs13.7.11-1

8.18.0+~cs14.5.15-1