cbcvebase.
CVE-2024-37890
published 2024-06-17

CVE-2024-37890: ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to…

PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.36%
68.2th percentile
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Affected

17 ranges
VendorProductVersion rangeFixed in
debiannode-ws< node-ws 8.18.0+~cs13.7.11-1 (forky)node-ws 8.18.0+~cs13.7.11-1 (forky)
linuxlinux_kernel>= 0 < 5.15.0-143.1535.15.0-143.153
linuxlinux_kernel>= 0 < 5.4.0-219.2395.4.0-219.239
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_reaper_3.1.1-10_on_cbl_mariner_2.0
msrccbl2_reaper_3.1.1-18_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
websocketsws
websocketsws
websocketsws
websocketsws
ws_projectws>= 2.1.0 < 5.2.45.2.4
ws_projectws>= 6.0.0 < 6.2.36.2.3
ws_projectws>= 7.0.0 < 7.5.107.5.10
ws_projectws>= 8.0.0 < 8.17.18.17.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.