Security: ws 8.16.0 has HIGH vulnerability #13
Description
Package: ws
Current Version: 8.16.0
Fixed Version: 5.2.4, 6.2.3, 7.5.10, 8.17.1
Severity: HIGH
Description: ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
References:
https://access.redhat.com/security/cve/CVE-2024-37890
https://github.com/websockets/ws
websockets/ws@22c2876
websockets/ws@4abd8f6
websockets/ws@e55e510
websockets/ws@eeb76d3
websockets/ws#2230
websockets/ws#2231
GHSA-3h5v-q93c-6h6q
https://nodejs.org/api/http.html#servermaxheaderscount
https://nvd.nist.gov/vuln/detail/CVE-2024-37890
https://www.cve.org/CVERecord?id=CVE-2024-37890
This issue was automatically created by the Trivy security scanner.