Description
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ws library processes incoming WebSocket frames by wrapping each fragment in an internal structure. A malicious peer can flood a server or client with thousands of tiny fragments that appear normal but force the library to allocate dozens of wrappers, consuming far more memory than the configured message‑size limit. If the application keeps processing these frames, system RAM is exhausted and the node process terminates with an out‑of‑memory error, producing a denial‑of‑service condition. The flaw is a classic resource depletion weakness (CWE‑400), involves uncontrolled allocation (CWE‑770), and introduces a misallocation that may lead to undefined behavior (CWE‑1050). No authentication or privileged access is required to trigger the attack.

Affected Systems

The open‑source WebSocket client and server for Node.js, known as ws, is vulnerable across multiple major releases. All versions from 1.1.0 up to, but not including, 5.2.5; from 6.0.0 up to 6.2.4; from 7.0.0 up to 7.5.11; and from 8.0.0 up to 8.21.0 contain the weakness. Fixed releases are 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Risk and Exploitability

A CVSS score of 7.5 indicates a high‑severity denial‑of‑service risk. The EPSS score is reported as less than 1%, meaning exploit attempts in the wild are very uncommon, but the vulnerability remains possible if an attacker can reach the node process over the network. Attackers do not need any special authentication and can send frames via the standard WebSocket protocol. The vulnerability is not listed in the CISA KEV catalog. Defenses rely on upgrading the library or applying network‑level traffic controls to limit the rate of small frames, as no built‑in mitigation exists in affected releases.

Generated by OpenCVE AI on June 24, 2026 at 10:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of ws (5.2.5 or later, 6.2.4, 7.5.11, or 8.21.0 depending on your major release).
  • If an immediate upgrade is not possible, place a reverse proxy or firewall in front of the application and enforce a rate limit on incoming WebSocket connections, rejecting bursts of frames that are unusually small or that exceed a per‑second threshold.
  • In Node.js applications, configure socket.maxIncomingMessageSize or implement a wrapper around ws that validates the size and frequency of frames before they reach the library, rejecting those that could trigger excessive wrapper allocation.

Generated by OpenCVE AI on June 24, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-96hv-2xvq-fx4p ws: Memory exhaustion DoS from tiny fragments and data chunks
History

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Websockets
Websockets ws
Vendors & Products Websockets
Websockets ws

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Title ws: Memory exhaustion DoS from tiny fragments and data chunks
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-06T12:05:15.724Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48779

cve-icon Vulnrichment

Updated: 2026-07-02T12:05:02.554Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T21:26:22Z

Links: CVE-2026-48779 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses
  • CWE-1050

    Excessive Platform Resource Consumption within a Loop

  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling