VulnerableCode Package Details

Search for packages

Vulnerability	Summary	Fixed by
VCID-h7zx-ben4-tfhf Aliases: CVE-2024-37890 GHSA-3h5v-q93c-6h6q	ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.	5.2.4 Affected by 0 other vulnerabilities. 6.2.3 Affected by 0 other vulnerabilities. 7.5.10 Affected by 0 other vulnerabilities. 8.17.1 Affected by 0 other vulnerabilities.
VCID-hhzr-sn73-sucg Aliases: GHSA-5v72-xg48-5rpm GMS-2019-145	Denial of Service in ws	3.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kxgy-dea9-r7hf Aliases: GMS-2017-331	Denial of Service A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.	3.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-h7zx-ben4-tfhf
Aliases:
CVE-2024-37890
GHSA-3h5v-q93c-6h6q

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

5.2.4
Affected by 0 other vulnerabilities.

6.2.3
Affected by 0 other vulnerabilities.

7.5.10
Affected by 0 other vulnerabilities.

8.17.1
Affected by 0 other vulnerabilities.

VCID-hhzr-sn73-sucg
Aliases:
GHSA-5v72-xg48-5rpm
GMS-2019-145

Denial of Service in ws

3.3.1
Affected by 1 other vulnerability.

VCID-kxgy-dea9-r7hf
Aliases:
GMS-2017-331

Denial of Service A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.

3.3.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:33:06.111714+00:00	GitLab Importer	Affected by	VCID-h7zx-ben4-tfhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/CVE-2024-37890.yml	38.6.0
2026-06-12T17:11:42.932077+00:00	GitLab Importer	Affected by	VCID-hhzr-sn73-sucg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2019-145.yml	38.6.0
2026-06-12T16:55:58.210588+00:00	GitLab Importer	Affected by	VCID-kxgy-dea9-r7hf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2017-331.yml	38.6.0