Impact
The ws library processes incoming WebSocket frames by wrapping each fragment in an internal structure. A malicious peer can flood a server or client with thousands of tiny fragments that appear normal but force the library to allocate dozens of wrappers, consuming far more memory than the configured message‑size limit. If the application keeps processing these frames, system RAM is exhausted and the node process terminates with an out‑of‑memory error, producing a denial‑of‑service condition. The flaw is a classic resource depletion weakness (CWE‑400), involves uncontrolled allocation (CWE‑770), and introduces a misallocation that may lead to undefined behavior (CWE‑1050). No authentication or privileged access is required to trigger the attack.
Affected Systems
The open‑source WebSocket client and server for Node.js, known as ws, is vulnerable across multiple major releases. All versions from 1.1.0 up to, but not including, 5.2.5; from 6.0.0 up to 6.2.4; from 7.0.0 up to 7.5.11; and from 8.0.0 up to 8.21.0 contain the weakness. Fixed releases are 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Risk and Exploitability
A CVSS score of 7.5 indicates a high‑severity denial‑of‑service risk. The EPSS score is reported as less than 1%, meaning exploit attempts in the wild are very uncommon, but the vulnerability remains possible if an attacker can reach the node process over the network. Attackers do not need any special authentication and can send frames via the standard WebSocket protocol. The vulnerability is not listed in the CISA KEV catalog. Defenses rely on upgrading the library or applying network‑level traffic controls to limit the rate of small frames, as no built‑in mitigation exists in affected releases.
OpenCVE Enrichment
Github GHSA