2.1.1
6.0.1
7.0.1
8.0.1
5.2.4
CVE-2024-37890 describes a Denial of Service (DoS) vulnerability in the ws library for Node.js. An attacker can exploit this flaw by sending a request containing an excessive number of HTTP headers, exceeding the configured threshold and causing the server to crash. This vulnerability impacts versions of ws prior to 5.2.4, and a patch has been released to address the issue.
The primary impact of CVE-2024-37890 is a denial-of-service condition. A successful attack can render the affected Node.js WebSocket server unresponsive, preventing legitimate users from connecting and utilizing its services. This disruption can lead to significant operational downtime and potential data loss, especially if the server is critical for real-time communication or application functionality. The provided proof-of-concept demonstrates the ease with which an attacker can generate a request with a large number of headers, highlighting the vulnerability's potential for widespread exploitation. The attack doesn't directly expose sensitive data, but the service interruption can have cascading effects on dependent systems.
CVE-2024-37890 was publicly disclosed on June 17, 2024. A proof-of-concept (PoC) is publicly available, demonstrating the vulnerability's exploitability. The EPSS score is likely to be medium, given the ease of exploitation and the potential for disruption. It is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring. Active exploitation campaigns are not yet confirmed, but the availability of a PoC increases the likelihood of opportunistic attacks.
Applications and services relying on the ws library in Node.js are at risk, particularly those handling external WebSocket connections. This includes real-time chat applications, game servers, and any system using WebSockets for communication. Development environments using older versions of ws are also vulnerable.
• nodejs / server:
ps aux | grep ws
# Check for versions prior to 5.2.4• nodejs / server:
npm list ws
# Verify version installed• generic web: Examine access logs for requests with an unusually high number of headers. Look for patterns of repeated headers or headers with excessively long values.
disclosure
エクスプロイト状況
EPSS
0.54% (68% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-37890 is to upgrade the ws library to version 5.2.4 or later. This patched version includes a fix that limits the number of headers processed, preventing the crash condition. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy server to filter incoming requests and limit the number of headers allowed. Additionally, review the server.maxHeadersCount configuration setting to ensure it is set to a reasonable value. Monitor server logs for unusual header patterns or excessive header counts as an early warning sign of potential attacks.
Actualice la biblioteca ws a la versión 8.17.1 o superior. Si no puede actualizar inmediatamente, considere reducir la longitud máxima permitida de los encabezados HTTP usando las opciones `--max-http-header-size` o `maxHeaderSize`, o establezca `server.maxHeadersCount` a 0 para deshabilitar el límite.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-37890 is a denial-of-service vulnerability in the ws library for Node.js, allowing an attacker to crash the server by sending a request with too many headers.
You are affected if you are using ws Node.js Server versions prior to 5.2.4. Check your installed version using npm list ws.
Upgrade the ws library to version 5.2.4 or later using npm install [email protected]. Consider WAF rules as a temporary workaround.
Active exploitation campaigns are not yet confirmed, but the availability of a public PoC increases the risk of opportunistic attacks.
Refer to the ws library's GitHub repository for updates and advisories: https://github.com/websockets/ws
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。