Fabre

#1108351 node-ws: please fix CVE-2024-37890 in bookworm (DoS via uncaught exception) #1108351

Package:: src:node-ws

Source:: src:node-ws

Submitter:: Yang Wang

Date:: 2025-06-26 22:01:08 UTC

Severity:: normal

Tags:

#1108351#5

Date:: 2025-06-26 15:39:55 UTC

From:

To:

Dear Maintainer,

The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See:
https://security-tracker.debian.org/tracker/CVE-2024-37890
https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c

I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as:

  8.11.0+~cs13.7.3-1+deb12u1

The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC.

Please consider applying this patch to stable (bookworm).

Best regards,
Yang Wang
<yang.wang@windriver.com>

#1108351 node-ws: please fix CVE-2024-37890 in bookworm (DoS via uncaught exception) #1108351

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)