Ryan Lapointe

**Name of the Vulnerable Software and Affected Versions** ws versions prior to 8.17.1 ws versions prior to 7.5.10 ws versions prior to 6.2.3 ws versions prior to 5.2.4 **Description** The issue is related to errors in handling request headers in the ws library for Node.js, specifically when the number of headers exceeds the `server.maxHeadersCount` threshold. This can be exploited by a remote attacker to cause a denial of service. The vulnerability can be mitigated by reducing the maximum allowed length of request headers or setting `server.maxHeadersCount` to 0. **Recommendations** For ws versions prior to 8.17.1, update to version 8.17.1 or later. For ws versions prior to 7.5.10, update to version 7.5.10 or later. For ws versions prior to 6.2.3, update to version 6.2.3 or later. For ws versions prior to 5.2.4, update to version 5.2.4 or later. As a temporary workaround, consider reducing the maximum allowed length of request headers using the `--max-http-header-size=size` and/or the `maxHeaderSize` options so that no more headers than the `server.maxHeadersCount` limit can be sent. Alternatively, set `server.maxHeadersCount` to 0 so that no limit is applied.