CVE-2026-54466
Received Received - Intake

Integer Overflow in WebSocket-Driver Library

Vulnerability report for CVE-2026-54466, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server parse these bytes into an ever-growing integer in lib/websocket/driver/draft75.js; because JavaScript numbers are 64-bit floating point values, this number will eventually lose precision and lead to the subsequent payload being parsed incorrectly. This issue is fixed in version 0.7.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
websocket-driver websocket-driver 0.7.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

websocket-driver before 0.7.5 has a flaw in handling WebSocket protocol draft75 frames. The length header allows encoding an arbitrarily large integer using bytes with the high bit set. Sending many such bytes causes a JavaScript number to lose precision, leading to incorrect parsing of subsequent payloads.

Detection Guidance

Detection involves checking the version of websocket-driver in use. Run npm list websocket-driver or check package.json for versions prior to 0.7.5. Monitor network traffic for unusually large WebSocket frames or malformed payloads.

Impact Analysis

An attacker could exploit this to disrupt WebSocket connections, cause denial of service, or manipulate data parsing between client and server. Servers using vulnerable versions may crash or behave unpredictably.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by enabling denial-of-service attacks or unauthorized data access through malformed WebSocket frames. The incorrect parsing of large integers may lead to server instability or unintended data exposure, which could violate data integrity and confidentiality requirements under these regulations.

Mitigation Strategies

Upgrade websocket-driver to version 0.7.5 or later immediately. If upgrading is not possible, implement strict input validation for WebSocket frames and limit frame sizes to prevent excessive parsing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart