GraphQL Subscriptions Transport Package Contains Two Unpatched Vulnerabilities, Including High-Severity CVE-2024-37890

A critical security alert has been raised for the `subscriptions-transport-ws` package, version 0.9.16, which contains two unpatched vulnerabilities in its underlying `ws` dependency. The most severe is a high-severity flaw, CVE-2024-37890, with a CVSS score of 7.5. A second, medium-severity vulnerability, CVE-2021-32640 (CVSS 5.3), is also present. Both vulnerabilities are marked as 'transitive,' meaning they originate from the `ws-5.2.2.tgz` library, and critically, no remediation or fixed version is currently available for this specific dependency path.

The `subscriptions-transport-ws` library is a websocket transport layer for GraphQL subscriptions, a core component for real-time data in many modern applications. The findings indicate that the vulnerable code is currently assessed as 'unreachable' by automated analysis tools, suggesting the exploit path may not be directly accessible in all deployment contexts. However, the presence of unpatched, high-severity flaws in a foundational communication library represents a latent risk to any system relying on this version.

The situation places development and security teams in a difficult position. With no direct patch available, mitigation may require indirect measures such as network-level controls, monitoring for anomalous websocket traffic, or considering alternative libraries. The persistence of CVE-2021-32640, a vulnerability from 2021, alongside the newer 2024 flaw underscores a potentially neglected dependency chain. Projects using this package must now weigh the operational risk of an unpatched transport layer against the cost and complexity of implementing a workaround or replacement.