CVE-2026-54463
Received Received - Intake

Memory Exhaustion in websocket-driver WebSocket Handler

Vulnerability report for CVE-2026-54463, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
faye websocket-driver to 0.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

websocket-driver before 0.8.1 has a flaw in WebSocket protocol handling where draft versions allow encoding an arbitrarily large integer as bytes with the high bit set. This can cause a server or client to send endless sequences of high bytes, leading to unbounded memory consumption and potential out-of-memory crashes.

Detection Guidance

This vulnerability can be detected by checking the version of websocket-driver in use. If the version is below 0.8.1, the system is vulnerable. Commands like 'gem list websocket-driver' for Ruby environments or inspecting package.json for Node.js can help identify the version.

Impact Analysis

This vulnerability can cause denial of service by exhausting system memory on a host running an affected version of websocket-driver. It may lead to application crashes, degraded performance, or complete service unavailability.

Mitigation Strategies

Immediately upgrade websocket-driver to version 0.8.1 or later. For Ruby applications, run 'gem update websocket-driver'. For Node.js, update the dependency in package.json and reinstall. Monitor memory usage during and after the update.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54463. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart