HIGH🇬🇧 English

CVE-2026-48779

CVSS 7.5v3.1pub. 2026-06-17upd. 2026-07-02

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Ws Project Ws

    APP
    Ws Project
    1.1.0 – 5.2.5 (bez)6.0.0 – 6.2.4 (bez)7.0.0 – 7.5.11 (bez)8.0.0 – 8.21.0 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2016-10518HIGH7.5ten sam produkt

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to all...

CVE-2016-10542HIGH7.5ten sam produkt

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, u...

CVE-2026-45736MEDIUM4.4ten sam produkt

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implement...

CVE-2021-32640MEDIUM5.3ten sam produkt

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-We...

CVE-2026-48779 — HIGH 7.5 | CVEbaza.pl