CVE-2024-37890: 
JavaScript vulnerability analysis and mitigation

CVE-2024-37890 affects ws, an open source WebSocket client and server for Node.js. The vulnerability was discovered in June 2024 and allows a request with a number of headers exceeding the server.maxHeadersCount threshold to crash a ws server. The vulnerability affects multiple versions: >= 2.1.0 < 5.2.4, >= 6.0.0 < 6.2.3, >= 7.0.0 < 7.5.10, and >= 8.0.0 < 8.17.1 (GitHub Advisory).

The vulnerability occurs when the Upgrade header is correctly received and handled (the 'upgrade' event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold. In such cases, incomingMessage.headers.upgrade may not be set, leading to a crash. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can be exploited to cause a denial of service by crashing the ws server through sending a request with a large number of headers that exceeds the server's maxHeadersCount threshold (GitHub Advisory).

The vulnerability has been fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). For vulnerable versions, two workarounds are available: 1) Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent, or 2) Set server.maxHeadersCount to 0 to disable the limit (GitHub Advisory).