Skip to main content

websocket-driver CVE-2026-54464

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-15 https://github.com/faye/websocket-driver-ruby GHSA-33ph-fccm-39pj
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable WebSocket endpoint, no auth required, trivially crafted payload; pure availability impact via resource exhaustion, no C or I exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 22:31 vuln.today
Analysis Generated
Jul 15, 2026 - 22:31 vuln.today

DescriptionCVE.org

Impact

If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage.

Patches

The issue has been patched in version 0.8.1, by checking the length of messages after they are processed by incoming extensions. All users should upgrade to this version.

Workarounds

No known workarounds exist.

Acknowledgements

This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

AnalysisAI

Resource exhaustion in the websocket-driver Ruby gem (faye/websocket-driver-ruby) allows any WebSocket peer to bypass a configured maximum message size when the permessage-deflate compression extension is in use. The size limit is enforced against the compressed frame length rather than the post-decompression size, enabling a decompression-bomb style attack where a small compressed payload expands far beyond the intended ceiling. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to WebSocket endpoint
Delivery
Negotiate permessage-deflate during handshake
Exploit
Craft DEFLATE payload compressed below size threshold
Execution
Transmit compressed frame
Persist
Server decompresses to oversized payload bypassing size limit
Impact
Memory or CPU exhaustion causes service disruption

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions to be simultaneously true: (1) the permessage-deflate WebSocket extension (RFC 7692) must be negotiated and active on the connection - this is a server or client configuration choice, not universally enabled by default; and (2) the application must have configured a maximum message size limit, which is the guard being bypassed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score was published; all metric assessment is inferred from the advisory description and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to a publicly accessible WebSocket endpoint, successfully negotiates the permessage-deflate extension during the handshake, then sends a crafted message that is compressed to a size below the server's configured maximum message size threshold. Upon decompression, the payload expands to a size far exceeding the limit - potentially hundreds of times larger - consuming server memory and CPU. …
Remediation Upgrade websocket-driver to version 0.8.1 or later - the vendor-confirmed fix that relocates the message size check to occur after decompression by incoming extensions (https://github.com/faye/websocket-driver-ruby/releases/tag/0.8.1). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy