Skip to main content

websocket-driver CVE-2026-54465

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-07-15 https://github.com/faye/websocket-driver-ruby GHSA-8j3g-f24p-4mpw
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable with no authentication or user interaction required in the affected raw-TCP pattern; impact is availability only as memory exhaustion causes DoS with no data exposure or modification.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 22:32 vuln.today
Analysis Generated
Jul 15, 2026 - 22:32 vuln.today

DescriptionCVE.org

Impact

If this library is used to implement a WebSocket server on top of a TCP server (rather than an HTTP server or framework) using the WebSocket::Driver.server() method, or, if it is used to complement a WebSocket client, then a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory.

Patches

The issue has been patched in version 0.8.1, by limiting the total size of HTTP request/response lines and headers accepted by the parser to 32 kB. All users should upgrade to this version.

Workarounds

No known workarounds exist.

Acknowledgements

This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

AnalysisAI

Memory exhaustion in the websocket-driver Ruby gem (versions prior to 0.8.1) allows a remote peer to crash or degrade a receiving process by sending an HTTP request or response with an arbitrarily large number of headers, which the parser accumulates without any size bound. Affected deployments are those using WebSocket::Driver.server() directly atop a raw TCP server (bypassing an HTTP framework), or applications using this library as a WebSocket client - standard HTTP framework integrations (Rails, Sinatra, Rack) are not in scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open TCP connection to raw WebSocket server
Delivery
Send HTTP upgrade request with endless header stream
Exploit
Parser accumulates headers with no size limit
Execution
Process heap exhausted
Impact
Service crashes or becomes unresponsive

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses WebSocket::Driver.server() to accept WebSocket connections directly on a raw TCP server, bypassing any HTTP server or framework (such as Rack, Rails, Sinatra, Puma, or Unicorn). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was assigned by NVD at time of analysis, and no EPSS probability is available, so quantitative risk signals are absent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker establishes a TCP connection to a Ruby WebSocket server that uses WebSocket::Driver.server() without an intermediary HTTP framework, then transmits an HTTP upgrade request containing thousands of arbitrary header lines in a slow or streaming fashion. The websocket-driver parser appends each header to an in-memory structure without bound, causing the Ruby process heap to grow until available system memory is exhausted, resulting in an OOM kill or process crash and denying service to all legitimate clients. …
Remediation Upgrade websocket-driver to version 0.8.1 or later, which is the vendor-confirmed fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy