[Pkg-javascript-devel] Bug#1108355: node-ws: please fix CVE-2024-37890 in bullseye (DoS via uncaught exception)
Yang Wang
yang.wang at windriver.com
Thu Jun 26 18:45:55 BST 2025
Package: node-ws
Version: 7.4.2+~cs18.0.8-3
Severity: normal
Tags: patch, security
X-Debbugs-Cc: debian-lts at lists.debian.org
Control: found -1 7.4.2+~cs18.0.8-3
Dear Maintainer,
The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See:
https://security-tracker.debian.org/tracker/CVE-2024-37890
https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as:
7.4.2+~cs18.0.8-3+deb11u1
The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC.
Please consider applying this patch to stable (bookworm).
Best regards,
Yang Wang
<yang.wang at windriver.com>
-- System Information:
Debian Release: 11.11
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages node-ws depends on:
ii node-agent-base 6.0.2-2
ii node-commander 6.2.1-2
ii node-debug 4.3.1+~cs4.1.5-1
ii node-read 1.0.7-2
ii node-tinycolor 0.0.1-2
ii nodejs 12.22.12~dfsg-1~deb11u4
node-ws recommends no packages.
node-ws suggests no packages.
-- no debconf information
-------------- next part --------------
diff -Nru node-ws-7.4.2+~cs18.0.8/debian/changelog node-ws-7.4.2+~cs18.0.8/debian/changelog
--- node-ws-7.4.2+~cs18.0.8/debian/changelog 2021-05-26 06:26:30.000000000 +0000
+++ node-ws-7.4.2+~cs18.0.8/debian/changelog 2025-06-26 17:37:00.000000000 +0000
@@ -1,3 +1,11 @@
+node-ws (7.4.2+~cs18.0.8-3+deb11u1) bullseye-security; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport upstream patch for CVE-2024-37890 (DoS via uncaught exception).
+ - https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
+
+ -- Yang Wang <yang.wang at windriver.com> Thu, 26 Jun 2025 13:37:00 -0400
+
node-ws (7.4.2+~cs18.0.8-2) unstable; urgency=medium
* Team upload
diff -Nru node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch
--- node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch 2025-06-26 17:36:41.000000000 +0000
@@ -0,0 +1,160 @@
+Description: Backport upstream fix for CVE-2024-37890 (DoS via uncaught exception)
+ Backport of upstream commit 22c28763234aa75a7e1b76f5c01c181260d7917f
+Author: Yang Wang <yang.wang at windriver.com>
+Origin: upstream, backport
+Bug: https://github.com/websockets/ws/issues/2230
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37890
+CVE: CVE-2024-37890
+Forwarded: yes
+Last-Update: 2025-06-26
+Applied-Upstream: 22c28763234aa75a7e1b76f5c01c181260d7917f
+
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: node-ws-7.4.2+~cs18.0.8/lib/websocket-server.js
+===================================================================
+--- node-ws-7.4.2+~cs18.0.8.orig/lib/websocket-server.js
++++ node-ws-7.4.2+~cs18.0.8/lib/websocket-server.js
+@@ -185,12 +185,14 @@ class WebSocketServer extends EventEmitt
+ req.headers['sec-websocket-key'] !== undefined
+ ? req.headers['sec-websocket-key'].trim()
+ : false;
++ const upgrade = req.headers.upgrade;
+ const version = +req.headers['sec-websocket-version'];
+ const extensions = {};
+
+ if (
+ req.method !== 'GET' ||
+- req.headers.upgrade.toLowerCase() !== 'websocket' ||
++ upgrade === undefined ||
++ upgrade.toLowerCase() !== 'websocket' ||
+ !key ||
+ !keyRegex.test(key) ||
+ (version !== 8 && version !== 13) ||
+Index: node-ws-7.4.2+~cs18.0.8/lib/websocket.js
+===================================================================
+--- node-ws-7.4.2+~cs18.0.8.orig/lib/websocket.js
++++ node-ws-7.4.2+~cs18.0.8/lib/websocket.js
+@@ -620,6 +620,13 @@ function initAsClient(websocket, address
+
+ req = websocket._req = null;
+
++ const upgrade = res.headers.upgrade;
++
++ if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') {
++ abortHandshake(websocket, socket, 'Invalid Upgrade header');
++ return;
++ }
++
+ const digest = createHash('sha1')
+ .update(key + GUID)
+ .digest('base64');
+Index: node-ws-7.4.2+~cs18.0.8/test/websocket-server.test.js
+===================================================================
+--- node-ws-7.4.2+~cs18.0.8.orig/test/websocket-server.test.js
++++ node-ws-7.4.2+~cs18.0.8/test/websocket-server.test.js
+@@ -427,6 +427,47 @@ describe('WebSocketServer', () => {
+ });
+
+ describe('Connection establishing', () => {
++ it('fails if the Upgrade header field value cannot be read', (done) => {
++ const server = http.createServer();
++ const wss = new WebSocket.Server({ noServer: true });
++
++ server.maxHeadersCount = 1;
++
++ server.on('upgrade', (req, socket, head) => {
++ assert.deepStrictEqual(req.headers, { foo: 'bar' });
++ wss.handleUpgrade(req, socket, head, () => {
++ done(new Error('Unexpected callback invocation'));
++ });
++ });
++
++ server.listen(() => {
++ const req = http.get({
++ port: server.address().port,
++ headers: {
++ foo: 'bar',
++ bar: 'baz',
++ Connection: 'Upgrade',
++ Upgrade: 'websocket'
++ }
++ });
++
++ req.on('response', (res) => {
++ assert.strictEqual(res.statusCode, 400);
++
++ const chunks = [];
++
++ res.on('data', (chunk) => {
++ chunks.push(chunk);
++ });
++
++ res.on('end', () => {
++ assert.strictEqual(Buffer.concat(chunks).toString(), 'Bad Request');
++ server.close(done);
++ });
++ });
++ });
++ });
++
+ it('fails if the Sec-WebSocket-Key header is invalid (1/2)', (done) => {
+ const wss = new WebSocket.Server({ port: 0 }, () => {
+ const req = http.get({
+Index: node-ws-7.4.2+~cs18.0.8/test/websocket.test.js
+===================================================================
+--- node-ws-7.4.2+~cs18.0.8.orig/test/websocket.test.js
++++ node-ws-7.4.2+~cs18.0.8/test/websocket.test.js
+@@ -510,6 +510,52 @@ describe('WebSocket', () => {
+ beforeEach((done) => server.listen(0, done));
+ afterEach((done) => server.close(done));
+
++ it('fails if the Upgrade header field value cannot be read', (done) => {
++ server.once('upgrade', (req, socket) => {
++ socket.on('end', socket.end);
++ socket.write(
++ 'HTTP/1.1 101 Switching Protocols\r\n' +
++ 'Connection: Upgrade\r\n' +
++ 'Upgrade: websocket\r\n' +
++ '\r\n'
++ );
++ });
++
++ const ws = new WebSocket(`ws://localhost:${server.address().port}`);
++
++ ws._req.maxHeadersCount = 1;
++
++ ws.on('upgrade', (res) => {
++ assert.deepStrictEqual(res.headers, { connection: 'Upgrade' });
++
++ ws.on('error', (err) => {
++ assert.ok(err instanceof Error);
++ assert.strictEqual(err.message, 'Invalid Upgrade header');
++ done();
++ });
++ });
++ });
++
++ it('fails if the Upgrade header field value is not "websocket"', (done) => {
++ server.once('upgrade', (req, socket) => {
++ socket.on('end', socket.end);
++ socket.write(
++ 'HTTP/1.1 101 Switching Protocols\r\n' +
++ 'Connection: Upgrade\r\n' +
++ 'Upgrade: foo\r\n' +
++ '\r\n'
++ );
++ });
++
++ const ws = new WebSocket(`ws://localhost:${server.address().port}`);
++
++ ws.on('error', (err) => {
++ assert.ok(err instanceof Error);
++ assert.strictEqual(err.message, 'Invalid Upgrade header');
++ done();
++ });
++ });
++
+ it('fails if the Sec-WebSocket-Accept header is invalid', (done) => {
+ server.once('upgrade', (req, socket) => {
+ socket.on('end', socket.end);
diff -Nru node-ws-7.4.2+~cs18.0.8/debian/patches/series node-ws-7.4.2+~cs18.0.8/debian/patches/series
--- node-ws-7.4.2+~cs18.0.8/debian/patches/series 2021-05-26 06:21:49.000000000 +0000
+++ node-ws-7.4.2+~cs18.0.8/debian/patches/series 2025-06-26 17:35:23.000000000 +0000
@@ -1 +1,2 @@
CVE-2021-32640.patch
+fix-cve-2024-37890.patch
More information about the Pkg-javascript-devel
mailing list