[Pkg-javascript-devel] Bug#1108351: node-ws: please fix CVE-2024-37890 in bookworm (DoS via uncaught exception)
Yang Wang
yang.wang at windriver.com
Thu Jun 26 16:39:55 BST 2025
Package: node-ws
Version: 8.11.0+~cs13.7.3-1
Severity: normal
Tags: patch, security
X-Debbugs-Cc: team at security.debian.org
Control: found -1 8.11.0+~cs13.7.3-1
Dear Maintainer,
The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See:
https://security-tracker.debian.org/tracker/CVE-2024-37890
https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as:
8.11.0+~cs13.7.3-1+deb12u1
The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC.
Please consider applying this patch to stable (bookworm).
Best regards,
Yang Wang
<yang.wang at windriver.com>
-- System Information:
Debian Release: 12.11
APT prefers stable
APT policy: (500, 'stable')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages node-ws depends on:
ii node-commander 9.4.1-1
ii node-https-proxy-agent 5.0.1+~cs8.0.0-3
ii node-read 1.0.7-5
ii nodejs 18.19.0+dfsg-6~deb12u2
node-ws recommends no packages.
node-ws suggests no packages.
-- no debconf information
-------------- next part --------------
diff -Nru node-ws-8.11.0+~cs13.7.3/debian/changelog node-ws-8.11.0+~cs13.7.3/debian/changelog
--- node-ws-8.11.0+~cs13.7.3/debian/changelog 2022-11-19 07:38:27.000000000 +0000
+++ node-ws-8.11.0+~cs13.7.3/debian/changelog 2025-06-26 15:01:00.000000000 +0000
@@ -1,3 +1,11 @@
+node-ws (8.11.0+~cs13.7.3-1+deb12u1) bookworm-security; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport upstream patch for CVE-2024-37890 (DoS via uncaught exception).
+ - https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c.patch
+
+ -- Yang Wang <yang.wang at windriver.com> Thu, 26 Jun 2025 11:01:00 -0400
+
node-ws (8.11.0+~cs13.7.3-1) unstable; urgency=medium
* Team upload
diff -Nru node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch
--- node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch 2025-06-26 15:01:00.000000000 +0000
@@ -0,0 +1,147 @@
+Description: Backport upstream fix for CVE-2024-37890 (DoS via uncaught exception)
+ Backport of upstream commit e55e5106f10fcbaac37cfa89759e4cc0d073a52c.
+Author: Yang Wang <yang.wang at windriver.com>
+Origin: upstream, backport
+Bug: https://github.com/websockets/ws/issues/2253
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37890
+CVE: CVE-2024-37890
+Forwarded: yes
+Last-Update: 2025-06-26
+Applied-Upstream: e55e5106f10fcbaac37cfa89759e4cc0d073a52c
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: node-ws-8.11.0+~cs13.7.3/lib/websocket-server.js
+===================================================================
+--- node-ws-8.11.0+~cs13.7.3.orig/lib/websocket-server.js
++++ node-ws-8.11.0+~cs13.7.3/lib/websocket-server.js
+@@ -231,6 +231,7 @@ class WebSocketServer extends EventEmitt
+ socket.on('error', socketOnError);
+
+ const key = req.headers['sec-websocket-key'];
++ const upgrade = req.headers.upgrade;
+ const version = +req.headers['sec-websocket-version'];
+
+ if (req.method !== 'GET') {
+@@ -239,13 +240,13 @@ class WebSocketServer extends EventEmitt
+ return;
+ }
+
+- if (req.headers.upgrade.toLowerCase() !== 'websocket') {
++ if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') {
+ const message = 'Invalid Upgrade header';
+ abortHandshakeOrEmitwsClientError(this, req, socket, 400, message);
+ return;
+ }
+
+- if (!key || !keyRegex.test(key)) {
++ if (key === undefined || !keyRegex.test(key)) {
+ const message = 'Missing or invalid Sec-WebSocket-Key header';
+ abortHandshakeOrEmitwsClientError(this, req, socket, 400, message);
+ return;
+Index: node-ws-8.11.0+~cs13.7.3/lib/websocket.js
+===================================================================
+--- node-ws-8.11.0+~cs13.7.3.orig/lib/websocket.js
++++ node-ws-8.11.0+~cs13.7.3/lib/websocket.js
+@@ -902,7 +902,9 @@ function initAsClient(websocket, address
+
+ req = websocket._req = null;
+
+- if (res.headers.upgrade.toLowerCase() !== 'websocket') {
++ const upgrade = res.headers.upgrade;
++
++ if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') {
+ abortHandshake(websocket, socket, 'Invalid Upgrade header');
+ return;
+ }
+Index: node-ws-8.11.0+~cs13.7.3/test/websocket-server.test.js
+===================================================================
+--- node-ws-8.11.0+~cs13.7.3.orig/test/websocket-server.test.js
++++ node-ws-8.11.0+~cs13.7.3/test/websocket-server.test.js
+@@ -590,6 +590,50 @@ describe('WebSocketServer', () => {
+ });
+ });
+
++ it('fails if the Upgrade header field value cannot be read', (done) => {
++ const server = http.createServer();
++ const wss = new WebSocket.Server({ noServer: true });
++
++ server.maxHeadersCount = 1;
++
++ server.on('upgrade', (req, socket, head) => {
++ assert.deepStrictEqual(req.headers, { foo: 'bar' });
++ wss.handleUpgrade(req, socket, head, () => {
++ done(new Error('Unexpected callback invocation'));
++ });
++ });
++
++ server.listen(() => {
++ const req = http.get({
++ port: server.address().port,
++ headers: {
++ foo: 'bar',
++ bar: 'baz',
++ Connection: 'Upgrade',
++ Upgrade: 'websocket'
++ }
++ });
++
++ req.on('response', (res) => {
++ assert.strictEqual(res.statusCode, 400);
++
++ const chunks = [];
++
++ res.on('data', (chunk) => {
++ chunks.push(chunk);
++ });
++
++ res.on('end', () => {
++ assert.strictEqual(
++ Buffer.concat(chunks).toString(),
++ 'Invalid Upgrade header'
++ );
++ server.close(done);
++ });
++ });
++ });
++ });
++
+ it('fails if the Upgrade header field value is not "websocket"', (done) => {
+ const wss = new WebSocket.Server({ port: 0 }, () => {
+ const req = http.get({
+Index: node-ws-8.11.0+~cs13.7.3/test/websocket.test.js
+===================================================================
+--- node-ws-8.11.0+~cs13.7.3.orig/test/websocket.test.js
++++ node-ws-8.11.0+~cs13.7.3/test/websocket.test.js
+@@ -688,6 +688,32 @@ describe('WebSocket', () => {
+ beforeEach((done) => server.listen(0, done));
+ afterEach((done) => server.close(done));
+
++ it('fails if the Upgrade header field value cannot be read', (done) => {
++ server.once('upgrade', (req, socket) => {
++ socket.on('end', socket.end);
++ socket.write(
++ 'HTTP/1.1 101 Switching Protocols\r\n' +
++ 'Connection: Upgrade\r\n' +
++ 'Upgrade: websocket\r\n' +
++ '\r\n'
++ );
++ });
++
++ const ws = new WebSocket(`ws://localhost:${server.address().port}`);
++
++ ws._req.maxHeadersCount = 1;
++
++ ws.on('upgrade', (res) => {
++ assert.deepStrictEqual(res.headers, { connection: 'Upgrade' });
++
++ ws.on('error', (err) => {
++ assert.ok(err instanceof Error);
++ assert.strictEqual(err.message, 'Invalid Upgrade header');
++ done();
++ });
++ });
++ });
++
+ it('fails if the Upgrade header field value is not "websocket"', (done) => {
+ server.once('upgrade', (req, socket) => {
+ socket.on('end', socket.end);
diff -Nru node-ws-8.11.0+~cs13.7.3/debian/patches/series node-ws-8.11.0+~cs13.7.3/debian/patches/series
--- node-ws-8.11.0+~cs13.7.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ node-ws-8.11.0+~cs13.7.3/debian/patches/series 2025-06-23 22:11:22.000000000 +0000
@@ -0,0 +1 @@
+fix-cve-2024-37890.patch
More information about the Pkg-javascript-devel
mailing list