CVE-2024-37890
Description
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wsnpm | >= 2.1.0, < 5.2.4 | 5.2.4 |
wsnpm | >= 6.0.0, < 6.2.3 | 6.2.3 |
wsnpm | >= 7.0.0, < 7.5.10 | 7.5.10 |
wsnpm | >= 8.0.0, < 8.17.1 | 8.17.1 |
Affected products
97- Range: 0.4.32, 0.5.0, 0.6, …
- osv-coords96 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/kibana-7pkg:apk/chainguard/kibana-7.17pkg:apk/chainguard/kibana-7-bitnamipkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:npm/ws
< 3.6.5-r2+ 95 more
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 7.17.24-r0
- (no CPE)range: < 7.17.29-r0
- (no CPE)range: < 7.17.24-r0
- (no CPE)range: < 8.17.3-r2
- (no CPE)range: < 8.17.3-r2
- (no CPE)range: < 8.17.3-r2
- (no CPE)range: < 1.8.0-r5
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 1.8.0-r5
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.2.0-r4
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: >= 2.1.0, < 5.2.4
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-3h5v-q93c-6h6qghsaADVISORY
- github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917fnvdWEB
- github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377envdWEB
- github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52cnvdWEB
- github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63nvdWEB
- github.com/websockets/ws/issues/2230nvdWEB
- github.com/websockets/ws/pull/2231nvdWEB
- github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6qnvdWEB
- nodejs.org/api/http.htmlnvd
News mentions
0No linked articles in our index yet.