You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.
Repositories:
testcafe-hammerhead
- https://github.com/PavelMor25/testcafe-hammerhead/security/dependabot/14Package:
ws
Description:
Impact
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.Proof of concept
Patches
The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
References
CVE ID:
CVE-2024-37890
GHSA ID:
GHSA-3h5v-q93c-6h6q
The text was updated successfully, but these errors were encountered: