Bug 2292777 (CVE-2024-37890) - CVE-2024-37890 nodejs-ws: denial of service when handling a request with many HTTP headers
Summary: CVE-2024-37890 nodejs-ws: denial of service when handling a request with many...
Keywords:
Status: NEW
Alias: CVE-2024-37890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2292778 2303443 2292779 2292780 2292781 2292782 2292783 2292784 2294192 2294193 2294194 2298754 2298755 2298756 2298757 2298758 2298759 2298760 2303426 2303427 2303428 2303429 2303430 2303431 2303432 2303433 2303434 2303435 2303436 2303437 2303438 2303439 2303440 2303441 2303442 2303444 2303445 2311109 2311110 2311111 2311114 2318776 2350723
Blocks: 2292785
TreeView+ depends on / blocked
 
Reported: 2024-06-17 21:43 UTC by Robb Gatica
Modified: 2025-06-04 22:59 UTC (History)
145 users (show)

Fixed In Version: ws 5.2.4, ws 6.2.3, ws 7.5.10, ws 8.17.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:4591 0 None None None 2024-07-17 13:25:01 UTC
Red Hat Product Errata RHSA-2024:5547 0 None None None 2024-08-19 07:42:18 UTC
Red Hat Product Errata RHSA-2024:6755 0 None None None 2024-09-18 11:57:58 UTC
Red Hat Product Errata RHSA-2025:8544 0 None None None 2025-06-04 20:11:51 UTC
Red Hat Product Errata RHSA-2025:8551 0 None None None 2025-06-04 22:59:02 UTC

Description Robb Gatica 2024-06-17 21:43:21 UTC 
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws.1 (e55e510) and backported to ws.10 (22c2876), ws.3 (eeb76d3), and ws.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231
https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
https://nodejs.org/api/http.html#servermaxheaderscount
Comment 1 Robb Gatica 2024-06-17 21:58:18 UTC 
Created nodejs-ws tracking bugs for this issue:

Affects: epel-all [bug 2292778]
Comment 7 errata-xmlrpc 2024-07-17 13:24:54 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 8 errata-xmlrpc 2024-08-19 07:42:10 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547
Comment 10 errata-xmlrpc 2024-09-18 11:57:50 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
Comment 20 errata-xmlrpc 2025-06-04 20:11:41 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 21 errata-xmlrpc 2025-06-04 22:58:52 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551
Note You need to log in before you can comment on or make changes to this bug.