CVE-2026-48779
Modified
Modified - Updated After Analysis
Memory Exhaustion DoS in ws WebSocket Library
Vulnerability report for CVE-2026-48779, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-17
Last updated on: 2026-07-07
Assigner: GitHub, Inc.
Description
Description
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ws_project | ws | From 6.0.0 (inc) to 6.2.4 (exc) |
| ws_project | ws | From 7.0.0 (inc) to 7.5.11 (exc) |
| ws_project | ws | From 8.0.0 (inc) to 8.21.0 (exc) |
| ws_project | ws | From 1.1.0 (inc) to 5.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-1050 | The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |