[Pkg-javascript-devel] Bug#1108355: node-ws: please fix CVE-2024-37890 in bullseye (DoS via uncaught exception)

Sylvain Beucler beuc at beuc.net
Sat Jul 19 09:59:29 BST 2025


Hello,

Thanks for proposing a patch.

We usually don't publish a DLA for a single, minor CVE fix. In addition, 
we try to be consistent with the other dists in Debian, but this CVE 
isn't fixed in stable.

You seem to confuse stable (bookworm) and LTS (bullseye) in your e-mail. 
Please make sure you're targeting the right release.

Overall I would recommend to first discuss the situation with the 
package maintainers (Debian Javascript Team).

Cheers!
Sylvain Beucler
Debian LTS Team

On 26/06/2025 19:45, Yang Wang wrote:
> Package: node-ws
> Version: 7.4.2+~cs18.0.8-3
> Severity: normal
> Tags: patch, security
> X-Debbugs-Cc: debian-lts at lists.debian.org
> Control: found -1 7.4.2+~cs18.0.8-3
> 
> Dear Maintainer,
> 
> The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See:
>    https://security-tracker.debian.org/tracker/CVE-2024-37890
>    https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
> 
> I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as:
> 
>    7.4.2+~cs18.0.8-3+deb11u1
> 
> The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC.
> 
> Please consider applying this patch to stable (bookworm).
> 
> Best regards,
> Yang Wang
> <yang.wang at windriver.com>
> 
> -- System Information:
> Debian Release: 11.11
>    APT prefers oldstable
>    APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT)
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set
> Shell: /bin/sh linked to /bin/dash
> Init: unable to detect
> 
> Versions of packages node-ws depends on:
> ii  node-agent-base  6.0.2-2
> ii  node-commander   6.2.1-2
> ii  node-debug       4.3.1+~cs4.1.5-1
> ii  node-read        1.0.7-2
> ii  node-tinycolor   0.0.1-2
> ii  nodejs           12.22.12~dfsg-1~deb11u4
> 
> node-ws recommends no packages.
> 
> node-ws suggests no packages.
> 
> -- no debconf information



More information about the Pkg-javascript-devel mailing list