CVE-2026-48779
Received Received - Intake
Memory Exhaustion DoS in ws WebSocket Library

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48779
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
websockets ws From 1.1.0 (inc) to 5.2.5 (exc)
websockets ws From 6.0.0 (inc) to 6.2.4 (exc)
websockets ws From 7.0.0 (inc) to 7.5.11 (exc)
websockets ws From 8.0.0 (inc) to 8.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48779 is a high-severity vulnerability in the open source WebSocket client and server library for Node.js called "ws." It affects multiple versions of the library and involves a memory exhaustion denial-of-service (DoS) attack.

An attacker can send a high volume of very small WebSocket fragments or data chunks to a vulnerable peer. This causes the remote peer to allocate and hold structural wrappers that consume significantly more memory than the documented message-size limit. As a result, the process can run out of memory and terminate unexpectedly.

The vulnerability is related to uncontrolled resource consumption and allocation of resources without limits or throttling, classified under CWE-400 and CWE-770.

Impact Analysis

This vulnerability primarily impacts the availability of systems using the affected versions of the ws library.

An attacker can cause a denial-of-service by forcing the application to consume excessive memory, leading to process termination due to out-of-memory (OOM) conditions.

This can disrupt services relying on WebSocket communication, causing downtime or degraded performance.

Compliance Impact

The vulnerability affects availability but does not directly impact confidentiality or integrity of data.

While it may cause service disruptions, there is no indication from the provided information that it leads to data breaches or unauthorized data access.

Therefore, its impact on compliance with standards like GDPR or HIPAA would primarily relate to availability requirements and service continuity rather than data protection mandates.

Detection Guidance

The provided context and resources do not include specific detection methods or commands to identify this vulnerability on a network or system.

Mitigation Strategies

To mitigate the memory exhaustion DoS vulnerability in the ws package, you should upgrade to a fixed version: 5.2.5, 6.2.4, 7.5.11, or 8.21.0.

As a temporary mitigation in vulnerable versions, you can lower the maxPayload option to limit the size of incoming messages and reduce the risk of excessive memory allocation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart