CVE-2026-54466
CRITICALLifecycle Timeline
3Blast Radius
ecosystem impact- 92,204 npm packages depend on websocket-driver (1,723 direct, 90,491 indirect)
Ecosystem-wide dependent count for version 0.7.5.
DescriptionCVE.org
Impact
The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server parse these bytes into an ever-growing integer. Since JavaScript numbers are 64-bit floating point values, this number will eventually lose precision and lead to the subsequent payload being parsed incorrectly.
Patches
The issue has been patched in version 0.7.5 by rejecting the message if the length header exceeds the configured maximum message length. All users should upgrade to this version.
Workarounds
No known workarounds exist.
Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
AnalysisAI
Message corruption in the Node.js websocket-driver package (versions < 0.7.5) lets a remote WebSocket client desynchronize frame parsing by abusing the draft-protocol length header. By streaming an indefinite run of continuation bytes (0x80 or higher), an attacker forces the server to accumulate an ever-growing integer that exceeds JavaScript's 64-bit floating-point precision, so the true payload length is computed incorrectly and subsequent bytes are parsed against the wrong frame boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, audit all Node.js applications and identify instances of websocket-driver below version 0.7.5; prioritize production systems and those handling sensitive data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xv26-6w52-cph6