websocket-driver CVE-2026-54465
MEDIUMSeverity by source
Network-reachable with no authentication or user interaction required in the affected raw-TCP pattern; impact is availability only as memory exhaustion causes DoS with no data exposure or modification.
Lifecycle Timeline
2DescriptionCVE.org
Impact
If this library is used to implement a WebSocket server on top of a TCP server (rather than an HTTP server or framework) using the WebSocket::Driver.server() method, or, if it is used to complement a WebSocket client, then a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory.
Patches
The issue has been patched in version 0.8.1, by limiting the total size of HTTP request/response lines and headers accepted by the parser to 32 kB. All users should upgrade to this version.
Workarounds
No known workarounds exist.
Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
AnalysisAI
Memory exhaustion in the websocket-driver Ruby gem (versions prior to 0.8.1) allows a remote peer to crash or degrade a receiving process by sending an HTTP request or response with an arbitrarily large number of headers, which the parser accumulates without any size bound. Affected deployments are those using WebSocket::Driver.server() directly atop a raw TCP server (bypassing an HTTP framework), or applications using this library as a WebSocket client - standard HTTP framework integrations (Rails, Sinatra, Rack) are not in scope. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses WebSocket::Driver.server() to accept WebSocket connections directly on a raw TCP server, bypassing any HTTP server or framework (such as Rack, Rails, Sinatra, Puma, or Unicorn). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was assigned by NVD at time of analysis, and no EPSS probability is available, so quantitative risk signals are absent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker establishes a TCP connection to a Ruby WebSocket server that uses WebSocket::Driver.server() without an intermediary HTTP framework, then transmits an HTTP upgrade request containing thousands of arbitrary header lines in a slow or streaming fashion. The websocket-driver parser appends each header to an in-memory structure without bound, causing the Ruby process heap to grow until available system memory is exhausted, resulting in an OOM kill or process crash and denying service to all legitimate clients. … |
| Remediation | Upgrade websocket-driver to version 0.8.1 or later, which is the vendor-confirmed fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8j3g-f24p-4mpw