SCA: security update for ws (GHSA-96hv-2xvq-fx4p)

high Tenable Self-Hosted Container Security Plugin ID 443213

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not
including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are
affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small
fragments and data chunks, with modest network traffic, to force the remote peer into allocating and
holding structural wrappers that consume far more memory than the default documented message-size limit,
leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and
8.21.0. (CVE-2026-48779)

Solution

Update the ws library and its related packages to version 5.2.5 or later.

See Also

https://github.com/advisories/GHSA-96hv-2xvq-fx4p

Plugin Details

Severity: High

ID: 443213

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 6/15/2026

Updated: 7/10/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-48779

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/15/2026

Vulnerability Publication Date: 6/15/2026

Reference Information

CVE: CVE-2026-48779