HIGH · CVSS 7.5
CVE-2024-37890 — ws WebSocket DoS
The `ws` WebSocket library allocated a large buffer for handshake headers without bounds-checking, allowing an attacker to exhaust memory by sending crafted request headers.
Affects
- ws < 8.17.1
- ws 7.x < 7.5.10
What an attacker does
The attacker opens a WebSocket handshake with many duplicated or oversized headers. The server allocates memory proportional to header size without a cap; repeated connections OOM the process.
How to detect
`npm ls ws` — upgrade if below 8.17.1 or 7.5.10.
How to fix
Upgrade ws to 8.17.1+ / 7.5.10+. Also cap `maxPayload` on your WebSocket server.
How Securie catches it
Securie's dependency scanner flags ws in Next.js, NestJS, and Socket.IO projects.