[dev-server-core | dev-server-hmr] CVE-2024-37890: "ws affected by a DoS when handling a request with many HTTP headers"

modernweb-dev / web

Guides, tools and libraries for modern web development.

https://modern-web.dev

MIT License

2.15k stars 271 forks source link

[dev-server-core | dev-server-hmr] CVE-2024-37890: "ws affected by a DoS when handling a request with many HTTP headers" #2754

Closed KearseTrevor closed 1 week ago

KearseTrevor commented 2 weeks ago

This issue is meant to raise discussion/provide transparency for the current vulnerability with the ws package that @web/dev-server-core and @web/dev-server-hmr make use of. It seems the current recommended fix is to major rev the package to 8.17.1.

Additional requirements of ws are made via a transitive dependency on puppeteer-core. Updating puppeteer-core to 22.11.2 will address these instances.

Convenience link to CVE-2024-37890

KearseTrevor commented 1 week ago

Closing issue per following

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)