Skip to main content

CVE-2026-54466

CRITICAL
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-07-15 https://github.com/faye/websocket-driver-node GHSA-xv26-6w52-cph6
Share

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:31 vuln.today
Analysis Generated
Jul 15, 2026 - 22:31 vuln.today
CVE Published
Jul 15, 2026 - 22:07 cve.org
CRITICAL

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 92,204 npm packages depend on websocket-driver (1,723 direct, 90,491 indirect)

Ecosystem-wide dependent count for version 0.7.5.

DescriptionCVE.org

Impact

The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server parse these bytes into an ever-growing integer. Since JavaScript numbers are 64-bit floating point values, this number will eventually lose precision and lead to the subsequent payload being parsed incorrectly.

Patches

The issue has been patched in version 0.7.5 by rejecting the message if the length header exceeds the configured maximum message length. All users should upgrade to this version.

Workarounds

No known workarounds exist.

Acknowledgements

This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

AnalysisAI

Message corruption in the Node.js websocket-driver package (versions < 0.7.5) lets a remote WebSocket client desynchronize frame parsing by abusing the draft-protocol length header. By streaming an indefinite run of continuation bytes (0x80 or higher), an attacker forces the server to accumulate an ever-growing integer that exceeds JavaScript's 64-bit floating-point precision, so the true payload length is computed incorrectly and subsequent bytes are parsed against the wrong frame boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, audit all Node.js applications and identify instances of websocket-driver below version 0.7.5; prioritize production systems and those handling sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy