Skip to main content

websocket-driver CVE-2026-54490

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-15 https://github.com/faye/websocket-driver-node GHSA-mp7j-qc5w-4988
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable via WebSocket handshake, no authentication or user interaction needed; availability impact is high due to unbounded memory expansion from decompressed payloads.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 22:32 vuln.today
Analysis Generated
Jul 15, 2026 - 22:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 92,204 npm packages depend on websocket-driver (1,723 direct, 90,491 indirect)

Ecosystem-wide dependent count for version 0.7.5.

DescriptionCVE.org

Impact

If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage.

Patches

The issue has been patched in version 0.7.5, by checking the length of messages after they are processed by incoming extensions. All users should upgrade to this version.

Workarounds

No known workarounds exist.

Acknowledgements

This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

AnalysisAI

Resource limit bypass in the websocket-driver npm library (versions < 0.7.5) allows WebSocket messages to exceed the application's configured maximum message size when the permessage-deflate compression extension is active. The size enforcement is applied to compressed frame length headers rather than the decompressed payload, meaning a highly compressed message can appear within limits on the wire but expand arbitrarily upon decompression. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Connect to WebSocket endpoint
Delivery
Negotiate permessage-deflate extension during handshake
Exploit
Craft high-ratio compressed payload frames
Install
Send frames within compressed size limit
C2
Server bypasses decompressed size check
Execute
Decompress oversized payload into memory
Impact
Exhaust server resources

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions to be met simultaneously: the target application must use the websocket-driver npm package in a version prior to 0.7.5, and the permessage-deflate WebSocket compression extension must be negotiated and active on the connection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was supplied for this CVE, so all metric assessments are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a WebSocket endpoint running websocket-driver < 0.7.5 initiates a connection and negotiates the permessage-deflate extension during the WebSocket handshake. The attacker then transmits a series of crafted compressed frames containing repetitive or specially structured data that decompresses to payloads far exceeding the server's configured maximum message size. …
Remediation Vendor-released patch: 0.7.5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy