CVE-2026-54490
Received Received - Intake

Memory Exhaustion via Unchecked Compressed WebSocket Messages in websocket-driver

Vulnerability report for CVE-2026-54490, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, if this library is used with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size because the limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression in lib/websocket/driver/hybi.js. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage. This issue is fixed in version 0.7.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

websocket-driver before 0.7.5 has a flaw in the permessage-deflate extension where message size limits are checked against compressed frame headers instead of decompressed data size. This allows servers or clients to accept messages larger than intended, potentially leading to excessive resource usage.

Detection Guidance

Detecting this vulnerability requires checking if websocket-driver versions prior to 0.7.5 are in use. Inspect your application dependencies for websocket-driver and verify the version. If using npm, run: npm list websocket-driver. If the version is less than 0.7.5, the system is vulnerable.

Impact Analysis

If exploited, this vulnerability could cause your application to consume more memory or CPU than expected, leading to performance degradation, crashes, or denial-of-service conditions due to unexpectedly large message processing.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing applications to accept larger messages than intended, which may lead to excessive resource usage or unintended data exposure. If exploited, it could cause systems to process more data than configured, potentially violating data minimization principles in GDPR or integrity requirements in HIPAA.

Mitigation Strategies

Upgrade websocket-driver to version 0.7.5 or later immediately. If upgrading is not possible, disable the permessage-deflate extension in your WebSocket configuration to prevent compressed message processing. Review server or client configurations to ensure message size limits are enforced post-decompression.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart