Skip to main content

websocket-driver CVE-2026-54463

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-07-15 https://github.com/faye/websocket-driver-ruby GHSA-ghhp-3qvg-889p
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable WebSocket endpoint, low complexity byte stream attack, no privileges required at protocol layer; pure availability impact, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 22:31 vuln.today
Analysis Generated
Jul 15, 2026 - 22:31 vuln.today

DescriptionCVE.org

Impact

The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a server or client can make the other peer parse these bytes into an ever-growing integer. Since Ruby integers are arbitrary precision, this can be used to make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory.

Patches

The issue has been patched in version 0.8.1. All users should upgrade to this version.

Workarounds

No known workarounds exist.

Acknowledgements

This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

AnalysisAI

Memory exhaustion in the Ruby websocket-driver gem (faye/websocket-driver-ruby) allows any network peer to crash the host process by abusing the draft WebSocket protocol's variable-length integer encoding. By streaming an indefinite sequence of bytes with values 0x80 or above in a frame length header, an attacker forces the parser to accumulate an ever-growing Ruby arbitrary-precision integer, consuming unbounded heap memory until the process is killed by the OS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach WebSocket endpoint over network
Delivery
Complete HTTP upgrade handshake
Exploit
Stream continuous 0x80 bytes in frame length field
Execution
Parser accumulates unbounded Ruby Bignum
Persist
Host process OOM-killed
Impact
WebSocket service unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to establish a valid WebSocket connection to the target - the HTTP upgrade handshake must succeed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided in the source data, so scoring is independently assessed below. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to a publicly accessible WebSocket endpoint - for example, a Faye pub/sub server or a Rails ActionCable endpoint not gated by authentication - and after the HTTP upgrade handshake completes, begins streaming a continuous sequence of 0x80 bytes as the frame length field without ever completing the frame. The vulnerable parser accumulates these bytes into an ever-growing Ruby Bignum object, causing heap memory to grow without bound until the Ruby process is killed by the OS out-of-memory manager, taking down all WebSocket sessions on that worker. …
Remediation Upgrade websocket-driver to version 0.8.1 or later, which is the vendor-confirmed patched release per the GitHub security advisory at https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy