CVE-2024-37890

Name of the Vulnerable Software and Affected Versions ws versions prior to 8.17.1 ws versions prior to 7.5.10 ws versions prior to 6.2.3 ws versions prior to 5.2.4

Description The issue is related to errors in handling request headers in the ws library for Node.js, specifically when the number of headers exceeds the server.maxHeadersCount threshold. This can be exploited by a remote attacker to cause a denial of service. The vulnerability can be mitigated by reducing the maximum allowed length of request headers or setting server.maxHeadersCount to 0.

Recommendations For ws versions prior to 8.17.1, update to version 8.17.1 or later. For ws versions prior to 7.5.10, update to version 7.5.10 or later. For ws versions prior to 6.2.3, update to version 6.2.3 or later. For ws versions prior to 5.2.4, update to version 5.2.4 or later. As a temporary workaround, consider reducing the maximum allowed length of request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. Alternatively, set server.maxHeadersCount to 0 so that no limit is applied.