CVE-2024-37890 - Avoiding WebSocket Server Crash in ws by Limiting Header Count
Introduction:
In recent times, a vulnerability was discovered in the WebSocket client and server module for Node.js, known as ws. This vulnerability allows malicious users to crash a ws server by sending requests with a number of headers exceeding the server.maxHeadersCount threshold. However, developers behind ws have fixed this issue in the latest versions. In this post, we will dive deeper into the exploit details and discuss how to mitigate the problem in vulnerable versions of ws.
Exploit details
The vulnerability, identified as CVE-2024-37890, affected the open-source WebSocket client and server for Node.js called ws.
- GitHub link for ws: https://github.com/websockets/ws
- Node.js link for ws package: https://nodejs.org/en/docs/guides/websockets/
In vulnerable versions of ws, a malicious user could potentially crash the server by sending requests containing a number of headers that exceed the server.maxHeadersCount threshold. By exploiting this vulnerability, the attacker can cause Denial of Service (DoS) to the WebSocket server.
The ws developers have fixed this issue in the following versions
- ws@8.17.1 (e55e510): https://github.com/websockets/ws/commit/e55e510
- ws@7.5.10 (22c2876): https://github.com/websockets/ws/commit/22c2876
- ws@6.2.3 (eeb76d3): https://github.com/websockets/ws/commit/eeb76d3
- ws@5.2.4 (4abd8f6): https://github.com/websockets/ws/commit/4abd8f6
Mitigation for vulnerable versions
If you are using vulnerable versions of ws, consider upgrading to a fixed version mentioned above to address this issue. However, if upgrading is not an option, the following mitigations can be applied to counter the vulnerability:
Limit the maximum allowed length of the request headers
Use the --max-http-header-size=size and/or the maxHeaderSize options (available in Node.js 8.. or higher) to limit the allowed size of request headers. This can help prevent an attacker from sending a large number of headers. The code snippet below demonstrates this mitigation:
const http = require('http');
const WebSocket = require('ws');
const server = http.createServer();
const wsServer = new WebSocket.Server({ server });
http.createServer({ maxHeaderSize: 8192 }, (req, res) => {
// Handle HTTP requests
}).listen(808);
console.log('WebSocket server running on port 808');
Set server.maxHeadersCount to
Another way to mitigate the issue is to set server.maxHeadersCount to . This way, there will be no limit applied to the number of headers, allowing the server to handle an unlimited number of headers. However, this workaround should be used with caution as it has the potential to cause excessive memory usage if a large number of headers are allowed.
const http = require('http');
const WebSocket = require('ws');
const server = http.createServer();
server.maxHeadersCount = ;
const wsServer = new WebSocket.Server({ server });
http.createServer((req, res) => {
// Handle HTTP requests
}).listen(808);
console.log('WebSocket server running on port 808');
Conclusion
To protect your WebSocket server from crashing due to excessive headers, ensure you are using one of the fixed versions of ws. If that is not an option, apply one of the mitigations mentioned above to handle the vulnerability and prevent potential Denial of Service (DoS) attacks. Stay informed and keep your systems up-to-date to enhance security.
Timeline
Published on: 06/17/2024 20:15:13 UTC
Last modified on: 06/20/2024 12:44:22 UTC