CVE-2024-37890 - Denial of Service (DoS)

Severity: Low2025-03-11

Security Advisories

Abstract

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

The Oxygen products incorporate ws as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.0 and olderNone Oxygen Content Fusion 7.1 build 2024100818

Mitigation

None

Detail

CVE-2024-37890

Severity: Critical

CVSS Score: 7.5

The ws third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-37890 vulnerability description. However, successful exploitation of this vulnerability in Oxygen products would only affect notification functionality without compromising critical systems or data. For that reason within Oxygen products context, the impact is considered Low.

Starting with Oxygen Content Fusion v7.1 build 2024100818 ws library was updated to a version that fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Evolution of TC 2025

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor