[Pkg-javascript-devel] Bug#1108355: node-ws: please fix CVE-2024-37890 in bullseye (DoS via uncaught exception)

Yang Wang yang.wang at windriver.com
Mon Jul 21 21:32:20 BST 2025


On 2025-07-19 04:59, Sylvain Beucler wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> Hello,
>
> Thanks for proposing a patch.
>
> We usually don't publish a DLA for a single, minor CVE fix. In addition,
> we try to be consistent with the other dists in Debian, but this CVE
> isn't fixed in stable.
>
> You seem to confuse stable (bookworm) and LTS (bullseye) in your e-mail.
> Please make sure you're targeting the right release.
>
> Overall I would recommend to first discuss the situation with the
> package maintainers (Debian Javascript Team).

Thanks a lot for the great suggestion, will do.

Do you have a recommended CVE list which you think Debian contributors 
can work on?

Much appreciated,
-Yang

>
> Cheers!
> Sylvain Beucler
> Debian LTS Team
>
> On 26/06/2025 19:45, Yang Wang wrote:
>> Package: node-ws
>> Version: 7.4.2+~cs18.0.8-3
>> Severity: normal
>> Tags: patch, security
>> X-Debbugs-Cc: debian-lts at lists.debian.org
>> Control: found -1 7.4.2+~cs18.0.8-3
>>
>> Dear Maintainer,
>>
>> The package `node-ws` in Debian bookworm is affected by 
>> CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError 
>> in websocket-server.js when handling crafted HTTP requests). See:
>>    https://security-tracker.debian.org/tracker/CVE-2024-37890
>> https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
>>
>> I have prepared a patch that backports the upstream fix to bookworm. 
>> The fixed package is versioned as:
>>
>>    7.4.2+~cs18.0.8-3+deb11u1
>>
>> The patch is attached as a debdiff against the current bookworm 
>> version. I have tested that the patched package no longer crashes 
>> with the provided PoC.
>>
>> Please consider applying this patch to stable (bookworm).
>>
>> Best regards,
>> Yang Wang
>> <yang.wang at windriver.com>
>>
>> -- System Information:
>> Debian Release: 11.11
>>    APT prefers oldstable
>>    APT policy: (500, 'oldstable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT)
>> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL 
>> set to C), LANGUAGE not set
>> Shell: /bin/sh linked to /bin/dash
>> Init: unable to detect
>>
>> Versions of packages node-ws depends on:
>> ii  node-agent-base  6.0.2-2
>> ii  node-commander   6.2.1-2
>> ii  node-debug       4.3.1+~cs4.1.5-1
>> ii  node-read        1.0.7-2
>> ii  node-tinycolor   0.0.1-2
>> ii  nodejs           12.22.12~dfsg-1~deb11u4
>>
>> node-ws recommends no packages.
>>
>> node-ws suggests no packages.
>>
>> -- no debconf information
>



More information about the Pkg-javascript-devel mailing list