EXECUTIVE SUMMARY:
CVE-2026-48779 with a CVSS score of 7.5 is a high‑severity denial‑of‑service flaw in the popular npm/ws WebSocket library that affects versions >= 1.1.0 < 5.2.5, >= 6.0.0 < 6.2.4, >= 7.0.0 < 7.5.11 and >= 8.0.0 < 8.21.0. The vulnerability arises because the library allocates a structural wrapper for each incoming fragment or data chunk without adequately limiting the number of tiny fragments, allowing a peer to send a flood of 1‑byte frames that consume far more memory than the documented maxPayload limit. An attacker exploiting this condition needs only network‑level access to the WebSocket endpoint; by establishing a connection and continuously sending non‑final 1‑byte frames, the remote process rapidly allocates memory until it exhausts the host’s RAM and terminates with an out‑of‑memory error. Successful exploitation grants the attacker the ability to force a crash of the affected service, resulting in loss of availability, potential SLA violations, and downstream disruption of any applications that rely on the WebSocket server. Exploitation requires that the server be running a vulnerable ws version with default maxPayload settings and that the attacker can reach the WebSocket port.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48779 with a CVSS score of 7.5 is a high‑severity denial‑of‑service flaw in the popular npm/ws WebSocket library that affects versions >= 1.1.0 < 5.2.5, >= 6.0.0 < 6.2.4, >= 7.0.0 < 7.5.11 and >= 8.0.0 < 8.21.0. The vulnerability arises because the library allocates a structural wrapper for each incoming fragment or data chunk without adequately limiting the number of tiny fragments, allowing a peer to send a flood of 1‑byte frames that consume far more memory than the documented maxPayload limit. An attacker exploiting this condition needs only network‑level access to the WebSocket endpoint; by establishing a connection and continuously sending non‑final 1‑byte frames, the remote process rapidly allocates memory until it exhausts the host’s RAM and terminates with an out‑of‑memory error. Successful exploitation grants the attacker the ability to force a crash of the affected service, resulting in loss of availability, potential SLA violations, and downstream disruption of any applications that rely on the WebSocket server. Exploitation requires that the server be running a vulnerable ws version with default maxPayload settings and that the attacker can reach the WebSocket port.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-96hv-2xvq-fx4p