Package: node-ws Version: 8.11.0+~cs13.7.3-1 Severity: normal Tags: patch, security X-Debbugs-Cc: t...@security.debian.org Control: found -1 8.11.0+~cs13.7.3-1
Dear Maintainer, The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See: https://security-tracker.debian.org/tracker/CVE-2024-37890 https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as: 8.11.0+~cs13.7.3-1+deb12u1 The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC. Please consider applying this patch to stable (bookworm). Best regards, Yang Wang <yang.w...@windriver.com> -- System Information: Debian Release: 12.11 APT prefers stable APT policy: (500, 'stable') merged-usr: no Architecture: amd64 (x86_64) Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages node-ws depends on: ii node-commander 9.4.1-1 ii node-https-proxy-agent 5.0.1+~cs8.0.0-3 ii node-read 1.0.7-5 ii nodejs 18.19.0+dfsg-6~deb12u2 node-ws recommends no packages. node-ws suggests no packages. -- no debconf information
diff -Nru node-ws-8.11.0+~cs13.7.3/debian/changelog node-ws-8.11.0+~cs13.7.3/debian/changelog --- node-ws-8.11.0+~cs13.7.3/debian/changelog 2022-11-19 07:38:27.000000000 +0000 +++ node-ws-8.11.0+~cs13.7.3/debian/changelog 2025-06-26 15:01:00.000000000 +0000 @@ -1,3 +1,11 @@ +node-ws (8.11.0+~cs13.7.3-1+deb12u1) bookworm-security; urgency=medium + + * Non-maintainer upload. + * Backport upstream patch for CVE-2024-37890 (DoS via uncaught exception). + - https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c.patch + + -- Yang Wang <yang.w...@windriver.com> Thu, 26 Jun 2025 11:01:00 -0400 + node-ws (8.11.0+~cs13.7.3-1) unstable; urgency=medium * Team upload diff -Nru node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch --- node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-ws-8.11.0+~cs13.7.3/debian/patches/fix-cve-2024-37890.patch 2025-06-26 15:01:00.000000000 +0000 @@ -0,0 +1,147 @@ +Description: Backport upstream fix for CVE-2024-37890 (DoS via uncaught exception) + Backport of upstream commit e55e5106f10fcbaac37cfa89759e4cc0d073a52c. +Author: Yang Wang <yang.w...@windriver.com> +Origin: upstream, backport +Bug: https://github.com/websockets/ws/issues/2253 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37890 +CVE: CVE-2024-37890 +Forwarded: yes +Last-Update: 2025-06-26 +Applied-Upstream: e55e5106f10fcbaac37cfa89759e4cc0d073a52c +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: node-ws-8.11.0+~cs13.7.3/lib/websocket-server.js +=================================================================== +--- node-ws-8.11.0+~cs13.7.3.orig/lib/websocket-server.js ++++ node-ws-8.11.0+~cs13.7.3/lib/websocket-server.js +@@ -231,6 +231,7 @@ class WebSocketServer extends EventEmitt + socket.on('error', socketOnError); + + const key = req.headers['sec-websocket-key']; ++ const upgrade = req.headers.upgrade; + const version = +req.headers['sec-websocket-version']; + + if (req.method !== 'GET') { +@@ -239,13 +240,13 @@ class WebSocketServer extends EventEmitt + return; + } + +- if (req.headers.upgrade.toLowerCase() !== 'websocket') { ++ if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') { + const message = 'Invalid Upgrade header'; + abortHandshakeOrEmitwsClientError(this, req, socket, 400, message); + return; + } + +- if (!key || !keyRegex.test(key)) { ++ if (key === undefined || !keyRegex.test(key)) { + const message = 'Missing or invalid Sec-WebSocket-Key header'; + abortHandshakeOrEmitwsClientError(this, req, socket, 400, message); + return; +Index: node-ws-8.11.0+~cs13.7.3/lib/websocket.js +=================================================================== +--- node-ws-8.11.0+~cs13.7.3.orig/lib/websocket.js ++++ node-ws-8.11.0+~cs13.7.3/lib/websocket.js +@@ -902,7 +902,9 @@ function initAsClient(websocket, address + + req = websocket._req = null; + +- if (res.headers.upgrade.toLowerCase() !== 'websocket') { ++ const upgrade = res.headers.upgrade; ++ ++ if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') { + abortHandshake(websocket, socket, 'Invalid Upgrade header'); + return; + } +Index: node-ws-8.11.0+~cs13.7.3/test/websocket-server.test.js +=================================================================== +--- node-ws-8.11.0+~cs13.7.3.orig/test/websocket-server.test.js ++++ node-ws-8.11.0+~cs13.7.3/test/websocket-server.test.js +@@ -590,6 +590,50 @@ describe('WebSocketServer', () => { + }); + }); + ++ it('fails if the Upgrade header field value cannot be read', (done) => { ++ const server = http.createServer(); ++ const wss = new WebSocket.Server({ noServer: true }); ++ ++ server.maxHeadersCount = 1; ++ ++ server.on('upgrade', (req, socket, head) => { ++ assert.deepStrictEqual(req.headers, { foo: 'bar' }); ++ wss.handleUpgrade(req, socket, head, () => { ++ done(new Error('Unexpected callback invocation')); ++ }); ++ }); ++ ++ server.listen(() => { ++ const req = http.get({ ++ port: server.address().port, ++ headers: { ++ foo: 'bar', ++ bar: 'baz', ++ Connection: 'Upgrade', ++ Upgrade: 'websocket' ++ } ++ }); ++ ++ req.on('response', (res) => { ++ assert.strictEqual(res.statusCode, 400); ++ ++ const chunks = []; ++ ++ res.on('data', (chunk) => { ++ chunks.push(chunk); ++ }); ++ ++ res.on('end', () => { ++ assert.strictEqual( ++ Buffer.concat(chunks).toString(), ++ 'Invalid Upgrade header' ++ ); ++ server.close(done); ++ }); ++ }); ++ }); ++ }); ++ + it('fails if the Upgrade header field value is not "websocket"', (done) => { + const wss = new WebSocket.Server({ port: 0 }, () => { + const req = http.get({ +Index: node-ws-8.11.0+~cs13.7.3/test/websocket.test.js +=================================================================== +--- node-ws-8.11.0+~cs13.7.3.orig/test/websocket.test.js ++++ node-ws-8.11.0+~cs13.7.3/test/websocket.test.js +@@ -688,6 +688,32 @@ describe('WebSocket', () => { + beforeEach((done) => server.listen(0, done)); + afterEach((done) => server.close(done)); + ++ it('fails if the Upgrade header field value cannot be read', (done) => { ++ server.once('upgrade', (req, socket) => { ++ socket.on('end', socket.end); ++ socket.write( ++ 'HTTP/1.1 101 Switching Protocols\r\n' + ++ 'Connection: Upgrade\r\n' + ++ 'Upgrade: websocket\r\n' + ++ '\r\n' ++ ); ++ }); ++ ++ const ws = new WebSocket(`ws://localhost:${server.address().port}`); ++ ++ ws._req.maxHeadersCount = 1; ++ ++ ws.on('upgrade', (res) => { ++ assert.deepStrictEqual(res.headers, { connection: 'Upgrade' }); ++ ++ ws.on('error', (err) => { ++ assert.ok(err instanceof Error); ++ assert.strictEqual(err.message, 'Invalid Upgrade header'); ++ done(); ++ }); ++ }); ++ }); ++ + it('fails if the Upgrade header field value is not "websocket"', (done) => { + server.once('upgrade', (req, socket) => { + socket.on('end', socket.end); diff -Nru node-ws-8.11.0+~cs13.7.3/debian/patches/series node-ws-8.11.0+~cs13.7.3/debian/patches/series --- node-ws-8.11.0+~cs13.7.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-ws-8.11.0+~cs13.7.3/debian/patches/series 2025-06-23 22:11:22.000000000 +0000 @@ -0,0 +1 @@ +fix-cve-2024-37890.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
