CVE-2026-48779

June 17, 2026, 7:18 p.m.

7.5
High

Description

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Product(s) Impacted

Vendor Product Versions
Ws
  • Ws
  • <1.1.0-5.2.4>, 6.0.0-6.2.3, 7.0.0-7.5.10, 8.0.0-8.21.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a ws ws <1.1.0-5.2.4> / / / / / / /
a ws ws 6.0.0-6.2.3 / / / / / / /
a ws ws 7.0.0-7.5.10 / / / / / / /
a ws ws 8.0.0-8.21.0 / / / / / / /

References

https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p

Tags

[email protected]
CWE-400
2026-06-17
CVE-2026-48779

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: June 17, 2026, 1:20 p.m.
Last Modified: June 17, 2026, 7:18 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.