CVE-2026-48779
HIGH EPSS 40.5%
Published Jun 17, 20262w ago · Modified Jun 18, 20262w ago
7.5 CVSS 3.1
Published Jun 17, 2026 2w ago
Last Modified Jun 18, 2026 2w ago
Description
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
40.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-770
Affected Products 4
| Vendor | Product | Version | Range |
|---|---|---|---|
| ws_project | ws | * | ≥1.1.0 – <5.2.5 |
| ws_project | ws | * | ≥6.0.0 – <6.2.4 |
| ws_project | ws | * | ≥7.0.0 – <7.5.11 |
| ws_project | ws | * | ≥8.0.0 – <8.21.0 |
References 5
- github.com https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
- github.com https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
- github.com https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
- github.com https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
- github.com https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
Remediation
- github.com https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
- github.com https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
- github.com https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
- github.com https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
- github.com https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p