websocket-driver CVE-2026-54490
MEDIUMSeverity by source
Network-reachable via WebSocket handshake, no authentication or user interaction needed; availability impact is high due to unbounded memory expansion from decompressed payloads.
Lifecycle Timeline
2Blast Radius
ecosystem impact- 92,204 npm packages depend on websocket-driver (1,723 direct, 90,491 indirect)
Ecosystem-wide dependent count for version 0.7.5.
DescriptionCVE.org
Impact
If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage.
Patches
The issue has been patched in version 0.7.5, by checking the length of messages after they are processed by incoming extensions. All users should upgrade to this version.
Workarounds
No known workarounds exist.
Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
AnalysisAI
Resource limit bypass in the websocket-driver npm library (versions < 0.7.5) allows WebSocket messages to exceed the application's configured maximum message size when the permessage-deflate compression extension is active. The size enforcement is applied to compressed frame length headers rather than the decompressed payload, meaning a highly compressed message can appear within limits on the wire but expand arbitrarily upon decompression. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions to be met simultaneously: the target application must use the websocket-driver npm package in a version prior to 0.7.5, and the permessage-deflate WebSocket compression extension must be negotiated and active on the connection. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was supplied for this CVE, so all metric assessments are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a WebSocket endpoint running websocket-driver < 0.7.5 initiates a connection and negotiates the permessage-deflate extension during the WebSocket handshake. The attacker then transmits a series of crafted compressed frames containing repetitive or specially structured data that decompresses to payloads far exceeding the server's configured maximum message size. … |
| Remediation | Vendor-released patch: 0.7.5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mp7j-qc5w-4988