websocket-driver CVE-2026-54463
MEDIUMSeverity by source
Network-reachable WebSocket endpoint, low complexity byte stream attack, no privileges required at protocol layer; pure availability impact, no confidentiality or integrity effect.
Lifecycle Timeline
2DescriptionCVE.org
Impact
The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a server or client can make the other peer parse these bytes into an ever-growing integer. Since Ruby integers are arbitrary precision, this can be used to make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory.
Patches
The issue has been patched in version 0.8.1. All users should upgrade to this version.
Workarounds
No known workarounds exist.
Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
AnalysisAI
Memory exhaustion in the Ruby websocket-driver gem (faye/websocket-driver-ruby) allows any network peer to crash the host process by abusing the draft WebSocket protocol's variable-length integer encoding. By streaming an indefinite sequence of bytes with values 0x80 or above in a frame length header, an attacker forces the parser to accumulate an ever-growing Ruby arbitrary-precision integer, consuming unbounded heap memory until the process is killed by the OS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to establish a valid WebSocket connection to the target - the HTTP upgrade handshake must succeed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was provided in the source data, so scoring is independently assessed below. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connects to a publicly accessible WebSocket endpoint - for example, a Faye pub/sub server or a Rails ActionCable endpoint not gated by authentication - and after the HTTP upgrade handshake completes, begins streaming a continuous sequence of 0x80 bytes as the frame length field without ever completing the frame. The vulnerable parser accumulates these bytes into an ever-growing Ruby Bignum object, causing heap memory to grow without bound until the Ruby process is killed by the OS out-of-memory manager, taking down all WebSocket sessions on that worker. … |
| Remediation | Upgrade websocket-driver to version 0.8.1 or later, which is the vendor-confirmed patched release per the GitHub security advisory at https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-ghhp-3qvg-889p