CVE-2024-37890
published 2024-06-17CVE-2024-37890: ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.36%
68.2th percentile
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ws | < node-ws 8.18.0+~cs13.7.11-1 (forky) | node-ws 8.18.0+~cs13.7.11-1 (forky) |
| linux | linux_kernel | >= 0 < 5.15.0-143.153 | 5.15.0-143.153 |
| linux | linux_kernel | >= 0 < 5.4.0-219.239 | 5.4.0-219.239 |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-18_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| websockets | ws | — | — |
| websockets | ws | — | — |
| websockets | ws | — | — |
| websockets | ws | — | — |
| ws_project | ws | >= 2.1.0 < 5.2.4 | 5.2.4 |
| ws_project | ws | >= 6.0.0 < 6.2.3 | 6.2.3 |
| ws_project | ws | >= 7.0.0 < 7.5.10 | 7.5.10 |
| ws_project | ws | >= 8.0.0 < 8.17.1 | 8.17.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux-iot vulnerabilities
osv·2025-08-04·CVSS 4.7
CVE-2024-53051 linux-iot vulnerabilities
linux-iot vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ACPI drivers;
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2024-53051, CVE-2024-46787, CVE-2024-50047, CVE-2024-56662,
CVE-2025-37890, CVE-2025-38001, CVE-2025-37997, CVE-2025-37932,
CVE-2025-37798, CVE-2025-38177, CVE-2025-38000)
OSV
linux-azure vulnerabilities
osv·2025-07-30·CVSS 4.7
CVE-2025-37890 linux-azure vulnerabilities
linux-azure vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4 vulnerabilities
osv·2025-07-29·CVSS 4.7
CVE-2024-53051 linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4 vulnerabilities
linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ACPI drivers;
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2024-53051, CVE-2024-46787, CVE-2024-50047, CVE-2024-56662,
CVE-2025-37890, CVE-2025-38001, CVE-2025-37997, CVE-2025-37932,
CVE-2025-37798, CVE-2025-38177, CVE-2025-38000)
OSV
linux, linux-aws, linux-aws-5.4, linux-aws-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5
osv·2025-07-25·CVSS 4.7
linux, linux-aws, linux-aws-5.4, linux-aws-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5
linux, linux-aws, linux-aws-5.4, linux-aws-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ACPI drivers;
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2024-53051, CVE-2024-46787, CVE-2024-50047, CVE-2024-56662,
CVE-2025-37890, CVE-2025-38001, CVE-2025-37997, CVE-2025-37932,
CVE-2025-37798, CVE-2025-38177, CVE-2025-38000)
OSV
linux-xilinx-zynqmp vulnerabilities
osv·2025-07-11·CVSS 4.7
CVE-2025-37890 linux-xilinx-zynqmp vulnerabilities
linux-xilinx-zynqmp vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
linux-ibm-5.15, linux-intel-iotg, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx vulnerabilities
osv·2025-07-08·CVSS 4.7
CVE-2025-37890 linux-ibm-5.15, linux-intel-iotg, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx vulnerabilities
linux-ibm-5.15, linux-intel-iotg, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
linux-aws-5.15, linux-intel-iot-realtime vulnerabilities
osv·2025-07-03·CVSS 4.7
CVE-2025-37890 linux-aws-5.15, linux-intel-iot-realtime vulnerabilities
linux-aws-5.15, linux-intel-iot-realtime vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
linux-realtime vulnerabilities
osv·2025-07-01·CVSS 4.7
CVE-2025-37890 linux-realtime vulnerabilities
linux-realtime vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15 vu
osv·2025-07-01·CVSS 4.7
linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15 vu
linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
osv·2025-07-01·CVSS 4.7
CVE-2025-37890 linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- SMB network file system;
- Memory management;
- Netfilter;
- Network traffic control;
(CVE-2025-37890, CVE-2024-46787, CVE-2025-37798, CVE-2025-38000,
CVE-2025-37932, CVE-2025-38001, CVE-2025-37997, CVE-2024-50047,
CVE-2024-53051)
OSV
CVE-2024-37890: ws is an open source WebSocket client and server for Node
osv·2024-06-17·CVSS 7.5
CVE-2024-37890 [HIGH] CVE-2024-37890: ws is an open source WebSocket client and server for Node
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
GHSA
ws affected by a DoS when handling a request with many HTTP headers
ghsa·2024-06-17
CVE-2024-37890 [HIGH] CWE-476 ws affected by a DoS when handling a request with many HTTP headers
ws affected by a DoS when handling a request with many HTTP headers
### Impact
A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.
### Proof of concept
```js
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers[
OSV
ws affected by a DoS when handling a request with many HTTP headers
osv·2024-06-17
CVE-2024-37890 [HIGH] ws affected by a DoS when handling a request with many HTTP headers
ws affected by a DoS when handling a request with many HTTP headers
### Impact
A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.
### Proof of concept
```js
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers[
Red Hat
nodejs-ws: denial of service when handling a request with many HTTP headers
vendor_redhat·2024-06-16·CVSS 7.5
CVE-2024-37890 [HIGH] CWE-770 nodejs-ws: denial of service when handling a request with many HTTP headers
nodejs-ws: denial of service when handling a request with many HTTP headers
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
A flaw was found in the Node.js WebSocket library (ws). A r
Microsoft
Denial of service when handling a request with many HTTP headers in ws
vendor_msrc·2024-06-11·CVSS 7.5
CVE-2024-37890 [HIGH] CWE-476 Denial of service when handling a request with many HTTP headers in ws
Denial of service when handling a request with many HTTP headers in ws
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Ref
Debian
CVE-2024-37890: node-ws - ws is an open source WebSocket client and server for Node.js. A request with a n...
vendor_debian·2024·CVSS 7.5
CVE-2024-37890 [HIGH] CVE-2024-37890: node-ws - ws is an open source WebSocket client and server for Node.js. A request with a n...
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 8.18.0+~cs13.7.11-1)
sid: resolved (fixed in 8.18.0+~cs13.7.11-1)
tr
No detection rules found.
No public exploits indexed.
https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917fhttps://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377ehttps://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52chttps://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63https://github.com/websockets/ws/issues/2230https://github.com/websockets/ws/pull/2231https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6qhttps://nodejs.org/api/http.html#servermaxheaderscounthttps://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917fhttps://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377ehttps://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52chttps://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63https://github.com/websockets/ws/issues/2230https://github.com/websockets/ws/pull/2231https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6qhttps://nodejs.org/api/http.html#servermaxheaderscount
2024-06-17
Published