ws affected by a DoS when handling a request with many HTTP headers

Description

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

Recommendation

Update the ws package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 8.0.0, < 8.17.1

  >= 7.0.0, < 7.5.10

  >= 6.0.0, < 6.2.3

  >= 2.1.0, < 5.2.4**

• Patched version(s): **8.17.1

  7.5.10

  6.2.3

  5.2.4**

References

• GHSA-3h5v-q93c-6h6q
• CVE-2024-37890
• CWE-476
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
• dectalk-tts Uses Unencrypted HTTP Request - CVE-2024-31206
• Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 8 - CVE-2025-65944
• Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 7 - CVE-2025-65944

Tags:

npm

ws