CVE-2024-37890 - Denial of Service (DoS)
Severity: Low2025-03-11
Abstract
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
The Oxygen products incorporate ws as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v7.0 and older | None | Oxygen Content Fusion 7.1 build 2024100818 |
Detail
CVE-2024-37890
Severity: Critical
CVSS Score: 7.5
The ws third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-37890 vulnerability description. However, successful exploitation of this vulnerability in Oxygen products would only affect notification functionality without compromising critical systems or data. For that reason within Oxygen products context, the impact is considered Low.
Starting with Oxygen Content Fusion v7.1 build 2024100818 ws library was updated to a version that fixes this vulnerability.