CVE-2026-48779

high

Description

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48779.json

https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p

https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8

https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94

https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53

https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7

https://bugzilla.redhat.com/show_bug.cgi?id=2489661

https://access.redhat.com/security/cve/CVE-2026-48779

https://access.redhat.com/errata/RHSA-2026:37272

https://access.redhat.com/errata/RHSA-2026:36820

https://access.redhat.com/errata/RHSA-2026:36754

https://access.redhat.com/errata/RHSA-2026:34342

https://access.redhat.com/errata/RHSA-2026:33574

https://access.redhat.com/errata/RHSA-2026:33183

https://access.redhat.com/errata/RHSA-2026:33173

https://access.redhat.com/errata/RHSA-2026:33163

https://access.redhat.com/errata/RHSA-2026:33160

https://access.redhat.com/errata/RHSA-2026:33155

https://access.redhat.com/errata/RHSA-2026:29197

Details

Source: Mitre, NVD

Published: 2026-06-17

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00052