CVE-2026-54464
Received Received - Intake

WebSocket Message Size Bypass via Permessage-Deflate

Vulnerability report for CVE-2026-54464, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

### Impact If this library is used in tandem with the `permessage-deflate` extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage. ### Patches The issue has been patched in version 0.8.1, by checking the length of messages after they are processed by incoming extensions. All users should upgrade to this version. ### Workarounds No known workarounds exist. ### Acknowledgements This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
faye websocket-driver to 0.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects WebSocket connections using the permessage-deflate extension. It allows servers or clients to accept messages larger than the configured maximum size because the size check is performed on compressed data headers rather than decompressed data. This can lead to excessive resource usage.

Detection Guidance

Detecting this vulnerability requires checking if the WebSocket library version is below 0.8.1 and if the permessage-deflate extension is enabled. Inspect server or client configurations for WebSocket library versions and extension settings.

Impact Analysis

If exploited, this vulnerability could cause applications to consume more memory or CPU than intended, potentially leading to denial-of-service conditions or degraded performance. Systems relying on strict message size limits may be vulnerable.

Compliance Impact

This vulnerability could potentially impact compliance with standards like GDPR and HIPAA by enabling denial-of-service attacks through resource exhaustion. Excessive resource consumption may lead to system instability or crashes, which could disrupt data processing or availability required for compliance.

Mitigation Strategies

Upgrade the WebSocket library to version 0.8.1 or later. This version includes a fix that checks message length after decompression, preventing oversized messages.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54464. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart