CVE-2024-37890 Overview
CVE-2024-37890 is a Denial of Service (DoS) vulnerability affecting the ws package, an open source WebSocket client and server library for Node.js. The vulnerability allows an attacker to crash a ws server by sending a request with a number of headers exceeding the server.maxHeadersCount threshold. This is classified as a Null Pointer Dereference vulnerability (CWE-476) that can lead to complete service disruption.
Critical Impact
Remote attackers can crash WebSocket servers without authentication by sending specially crafted HTTP upgrade requests with excessive headers, causing denial of service for all connected clients.
Affected Products
- ws versions prior to 8.17.1
- ws versions prior to 7.5.10 (version 7.x branch)
- ws versions prior to 6.2.3 (version 6.x branch)
- ws versions prior to 5.2.4 (version 5.x branch)
Discovery Timeline
- 2024-06-17 - CVE-2024-37890 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-37890
Vulnerability Analysis
The vulnerability resides in how the ws WebSocket server processes incoming HTTP upgrade requests. When the ws server receives a request containing more headers than the configured server.maxHeadersCount limit, the server fails to handle this edge case gracefully. Instead of rejecting the request or truncating the headers, the server encounters an unhandled condition that results in a null pointer dereference, causing the process to crash.
The attack can be executed remotely over the network without requiring any authentication or user interaction. The vulnerability exclusively impacts availability—there is no data confidentiality breach or integrity compromise, but the complete loss of service availability affects all connected WebSocket clients.
Root Cause
The root cause is improper handling of header count boundaries when processing HTTP upgrade requests. The ws library relies on Node.js's underlying HTTP server implementation which has a configurable maxHeadersCount property. When this threshold is exceeded, the ws server's request handling code encounters an unexpected state that leads to a null pointer dereference (CWE-476). The code fails to validate or gracefully handle the scenario where the number of incoming headers exceeds the server's configured maximum, resulting in a crash rather than a controlled rejection.
Attack Vector
An attacker can exploit this vulnerability by establishing a TCP connection to a vulnerable ws WebSocket server and sending an HTTP upgrade request containing a large number of headers. The attack does not require valid WebSocket handshake completion—merely sending the malformed HTTP request with excessive headers is sufficient to trigger the crash.
The attack mechanism involves:
- Establishing a network connection to the target WebSocket server
- Sending an HTTP GET request with the WebSocket upgrade headers
- Including additional HTTP headers beyond the server.maxHeadersCount threshold
- The server attempts to process the headers and encounters a null pointer dereference
- The Node.js process crashes, terminating all WebSocket connections
For detailed technical analysis, refer to the GitHub Issue Discussion and the GitHub Security Advisory.
Detection Methods for CVE-2024-37890
Indicators of Compromise
- WebSocket server processes unexpectedly terminating or crashing
- HTTP upgrade requests containing abnormally high numbers of headers in access logs
- Repeated connection attempts followed by immediate server restarts
- Application error logs showing null pointer dereference or unhandled exceptions in ws module
Detection Strategies
- Monitor Node.js process stability and implement alerting for unexpected process terminations
- Analyze incoming HTTP traffic for requests with header counts exceeding normal application thresholds
- Implement web application firewall (WAF) rules to detect and block requests with excessive HTTP headers
- Review application dependency manifests to identify vulnerable ws package versions
Monitoring Recommendations
- Enable verbose logging for WebSocket connection handling to capture malformed requests
- Set up process monitoring with automatic restart capabilities while investigating the root cause
- Monitor network traffic patterns for connection attempts that do not complete WebSocket handshakes
- Implement rate limiting on WebSocket connection endpoints to slow potential exploitation attempts
How to Mitigate CVE-2024-37890
Immediate Actions Required
- Upgrade ws package to 8.17.1 or later for the 8.x branch
- For 7.x deployments, upgrade to 7.5.10 or later
- For 6.x deployments, upgrade to 6.2.3 or later
- For legacy 5.x deployments, upgrade to 5.2.4 or later
- Review and audit all Node.js applications using the ws package in your environment
Patch Information
The vulnerability has been fixed in the following versions with corresponding commits:
- ws@8.17.1: Commit e55e510
- ws@7.5.10: Commit 22c2876
- ws@6.2.3: Commit eeb76d3
- ws@5.2.4: Commit 4abd8f6
The fix was also discussed in Pull Request #2231.
Workarounds
- Reduce the maximum allowed length of request headers using the --max-http-header-size=size Node.js command-line option
- Configure the maxHeaderSize option when creating HTTP servers to limit total header size
- Set server.maxHeadersCount to 0 to disable the header count limit entirely (see Node.js HTTP Documentation)
- Deploy a reverse proxy or load balancer that filters requests with excessive headers before they reach the ws server
# Configuration example: Start Node.js with reduced header size limit
node --max-http-header-size=8192 server.js
# Or configure in application code before creating WebSocket server
const http = require('http');
const server = http.createServer();
server.maxHeadersCount = 0; # Disables header count limit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
