websocket-driver CVE-2026-54464
MEDIUMSeverity by source
Network-reachable WebSocket endpoint, no auth required, trivially crafted payload; pure availability impact via resource exhaustion, no C or I exposure.
Lifecycle Timeline
2DescriptionCVE.org
Impact
If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage.
Patches
The issue has been patched in version 0.8.1, by checking the length of messages after they are processed by incoming extensions. All users should upgrade to this version.
Workarounds
No known workarounds exist.
Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
AnalysisAI
Resource exhaustion in the websocket-driver Ruby gem (faye/websocket-driver-ruby) allows any WebSocket peer to bypass a configured maximum message size when the permessage-deflate compression extension is in use. The size limit is enforced against the compressed frame length rather than the post-decompression size, enabling a decompression-bomb style attack where a small compressed payload expands far beyond the intended ceiling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions to be simultaneously true: (1) the permessage-deflate WebSocket extension (RFC 7692) must be negotiated and active on the connection - this is a server or client configuration choice, not universally enabled by default; and (2) the application must have configured a maximum message size limit, which is the guard being bypassed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score was published; all metric assessment is inferred from the advisory description and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connects to a publicly accessible WebSocket endpoint, successfully negotiates the permessage-deflate extension during the handshake, then sends a crafted message that is compressed to a size below the server's configured maximum message size threshold. Upon decompression, the payload expands to a size far exceeding the limit - potentially hundreds of times larger - consuming server memory and CPU. … |
| Remediation | Upgrade websocket-driver to version 0.8.1 or later - the vendor-confirmed fix that relocates the message size check to occur after decompression by incoming extensions (https://github.com/faye/websocket-driver-ruby/releases/tag/0.8.1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-33ph-fccm-39pj