Bug 2292777 (CVE-2024-37890)

Summary: CVE-2024-37890 nodejs-ws: denial of service when handling a request with many HTTP headers
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adupliak, akostadi, alcohan, alizardo, amasferr, amctagga, andrew.slice, anjoseph, aoconnor, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, bniver, bodavis, boliveir, brian.stansberry, brking, carogers, cbartlet, cdewolf, chazlett, cmah, cmiranda, darran.lofthouse, dbhole, dhanak, dkreling, dmayorov, doconnor, dosoudil, drichtar, drosa, dsimansk, eaguilar, ebaron, epacific, erezende, eric.wittmann, fjuma, flucifre, ggrzybek, gkamathe, gmalinko, gmeno, gparvin, groman, gtanzill, haoli, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jchui, jhardy, jhe, jkang, jkoehler, jkoops, jlledo, jmitchel, jneedle, jobarker, jolong, jpallich, jprabhak, jrokos, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lgao, mabashia, manissin, matzew, mbenjamin, mhackett, mmakovy, mnovotny, mosmerov, mposolda, msochure, mstefank, msvehla, mulliken, nbecker, nboldt, nipatil, njean, nwallace, omajid, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcongius, pdelbell, pdrozd, peholase, pesilva, pierdipi, pjindal, pmackay, pskopek, psrna, rgarg, rguimara, rhaigner, rhuss, rjohnson, rkubis, rmartinc, rowaters, rstancel, rstepani, rtaniwa, saroy, sausingh, sdawley, sfroberg, shvarugh, simaishi, smaestri, smcdonal, sostapov, ssilvert, stcannon, sthorger, tasato, teagle, tfister, thavo, tjochec, tkral, tom.jenkinson, tsedmik, vereddy, vmuzikar, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ws 5.2.4, ws 6.2.3, ws 7.5.10, ws 8.17.1 Doc Type: ---
Doc Text:
A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2292778, 2292781, 2303443, 2350723, 2292779, 2292780, 2292782, 2292783, 2292784, 2294192, 2294193, 2294194, 2298754, 2298755, 2298756, 2298757, 2298758, 2298759, 2298760, 2303426, 2303427, 2303428, 2303429, 2303430, 2303431, 2303432, 2303433, 2303434, 2303435, 2303436, 2303437, 2303438, 2303439, 2303440, 2303441, 2303442, 2303444, 2303445, 2311109, 2311110, 2311111, 2311114, 2318776    
Bug Blocks: 2292785    

Description Robb Gatica 2024-06-17 21:43:21 UTC 
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws.1 (e55e510) and backported to ws.10 (22c2876), ws.3 (eeb76d3), and ws.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231
https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
https://nodejs.org/api/http.html#servermaxheaderscount
Comment 1 Robb Gatica 2024-06-17 21:58:18 UTC 
Created nodejs-ws tracking bugs for this issue:

Affects: epel-all [bug 2292778]
Comment 7 errata-xmlrpc 2024-07-17 13:24:54 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 8 errata-xmlrpc 2024-08-19 07:42:10 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547
Comment 10 errata-xmlrpc 2024-09-18 11:57:50 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
Comment 20 errata-xmlrpc 2025-06-04 20:11:41 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 21 errata-xmlrpc 2025-06-04 22:58:52 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551