CVE-2024-37890:
CVE-2024-37890: Denial of service in the ws library (WebSocket for Node.js) where handling a request with a large number of HTTP headers can trigger a NULL pointer dereference and crash the ws server, affecting availability. The issue has been fixed in ws version 8.17.1 and backported to earlier release lines.
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.5High- Published Date:Jun 17, 2024
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.8
- EPSS Percentile:73%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:3.6
- Confidentiality Impact:NONE
- Integrity Impact:NONE
- Availability Impact:HIGH
Description Preview
CVE-2024-37890: Denial of service in the ws library (WebSocket for Node.js) where handling a request with a large number of HTTP headers can trigger a NULL pointer dereference and crash the ws server, affecting availability. The issue has been fixed in ws version 8.17.1 and backported to earlier release lines.
Overview
ws is vulnerable to a denial-of-service condition when a request presents a large number of HTTP headers that surpass the server’s header limit, potentially causing a NULL pointer dereference and crashing the server. The flaw affects multiple older ws releases and has been resolved in ws 8.17.1, with backports to 7.5.10, 6.2.3, and 5.2.4. Mitigations exist in older versions by limiting header size or removing the header limit entirely (server.maxHeadersCount = 0). Upgrading to the fixed versions is the recommended remediation.
Remediation
- Upgrade ws to the fixed version (at minimum ws 8.17.1). If using a managed dependency chain, ensure the upgrade propagates to all affected release lines (7.5.10, 6.2.3, 5.2.4 backports as applicable).
- If upgrading is not immediately possible, apply mitigations in vulnerable environments:
- Limit the maximum HTTP header size by configuring the server or ws accordingly (e.g., use --max-http-header-size=size or the ws maxHeaderSize option).
- Consider setting server.maxHeadersCount to 0 to disable the header-count limit, recognizing the potential trade-offs and monitoring needs.
- Review and test changes in staging before deploying to production, and monitor for any related issues after applying mitigations or upgrades.
- Implement additional DoS protections (rate limiting, request validation, and proper resource monitoring) to reduce the blast radius of similar attacks.
References
- - https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
- - https://github.com/websockets/ws/issues/2230
- - https://github.com/websockets/ws/pull/2231
- - https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
- - https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
- - https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
- - https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
- - https://nodejs.org/api/http.html#servermaxheaderscount
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
