CVE-2024-37890
Denial of service when handling a request with many HTTP headers in ws
Description
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
INFO
Published Date :
June 17, 2024, 8:15 p.m.
Last Modified :
Nov. 21, 2024, 9:24 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2024-37890
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update the affected packages.
- Upgrade CycleCloud to version 8.6.3.
Public PoC/Exploit Available at Github
CVE-2024-37890 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-37890.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-37890 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-37890
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
🚀 Self-hosted GitHub Actions runners with Docker containerization, Chrome browser support for web UI testing, comprehensive CI/CD pipelines, monitoring stack, and production-ready deployment automation. Perfect for teams needing reliable, scalable, and secure runner infrastructure.
github-actions docker self-hosted-runner chrome-runner cicd web-ui-testing selenium playwright monitoring devops
Dockerfile Shell TypeScript
ping app for bachelor thesis data collection
JavaScript Ruby Starlark Java Makefile C++ Objective-C Objective-C++
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-37890 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-37890 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f Added Reference https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e Added Reference https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c Added Reference https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 Added Reference https://github.com/websockets/ws/issues/2230 Added Reference https://github.com/websockets/ws/pull/2231 Added Reference https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q Added Reference https://nodejs.org/api/http.html#servermaxheaderscount -
CVE Received by [email protected]
Jun. 17, 2024
Action Type Old Value New Value Added Description ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied. Added Reference GitHub, Inc. https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q [No types assigned] Added Reference GitHub, Inc. https://github.com/websockets/ws/issues/2230 [No types assigned] Added Reference GitHub, Inc. https://github.com/websockets/ws/pull/2231 [No types assigned] Added Reference GitHub, Inc. https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f [No types assigned] Added Reference GitHub, Inc. https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e [No types assigned] Added Reference GitHub, Inc. https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c [No types assigned] Added Reference GitHub, Inc. https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 [No types assigned] Added Reference GitHub, Inc. https://nodejs.org/api/http.html#servermaxheaderscount [No types assigned] Added CWE GitHub, Inc. CWE-476 Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H