CVE-2026-54465
Received Received - Intake

Memory Exhaustion in websocket-driver via Unbounded Headers

Vulnerability report for CVE-2026-54465, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
faye websocket-driver 0.8.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

websocket-driver before 0.8.1 has a memory exhaustion issue where a peer can send an HTTP request or response with an endless list of headers, causing the server to consume excessive memory and potentially run out of it.

Detection Guidance

This vulnerability can be detected by checking the version of websocket-driver in use. If your system is running a version prior to 0.8.1, it is vulnerable. Use commands like 'npm list websocket-driver' for Node.js projects or inspect your package dependencies directly.

Impact Analysis

This vulnerability can lead to denial-of-service by crashing or slowing down the affected system due to excessive memory usage, disrupting services relying on websocket-driver.

Compliance Impact

This vulnerability primarily impacts system availability by enabling denial-of-service attacks through memory exhaustion. It does not directly affect data confidentiality or integrity, which are key concerns for GDPR and HIPAA. However, prolonged service disruption could indirectly impact compliance by preventing timely access to personal or health data.

Mitigation Strategies

Immediately update websocket-driver to version 0.8.1 or later. If updating is not possible, consider removing or replacing the vulnerable component. Monitor network traffic for unusual header patterns that could indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54465. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart