Skip to main content

ws EUVDEUVD-2026-44729

| CVE-2026-62389 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-15 VulnCheck GHSA-73jw-fp74-p77x
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable, no authentication or interaction, and trivial to trigger (AV:N/AC:L/PR:N/UI:N); impact is availability-only heap exhaustion, so C:N/I:N/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 17:48 vuln.today
Analysis Generated
Jul 15, 2026 - 17:48 vuln.today
CVE Published
Jul 15, 2026 - 17:04 cve.org
HIGH 8.7

DescriptionCVE.org

ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0 followed by continuation frames without completing the sequence, causing each fragment to be stored as a separate Buffer object with significant overhead, enabling denial of service through heap exhaustion.

AnalysisAI

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open WebSocket connection to ws server
Delivery
Send text frame with FIN=0
Exploit
Stream endless continuation fragments
Execution
Buffers accumulate unbounded in receiver
Impact
Node heap exhausted, process OOM-killed

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target run a ws server (version before 8.21.1) that accepts WebSocket connections and permits fragmented data messages - the default configuration, since the pre-patch defaults for maxFragments/maxBufferedChunks were high enough to allow substantial accumulation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine availability risk but strictly a denial-of-service issue - the supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with VA:H and VC/VI:N confirms a network-reachable, no-authentication, low-complexity attack that impacts only availability, consistent with the CWE-770 classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens a WebSocket connection to an internet-facing Node.js service running a pre-8.21.1 ws server, sends a text frame with FIN=0, and then streams a long series of continuation frames (including empty ones) without ever sending a final frame. Because each fragment is buffered as a separate Buffer and the count guard never trips, the server's heap grows until the Node process is killed by the out-of-memory handler; repeating this across a few connections amplifies the effect. …
Remediation Vendor-released patch: upgrade ws to version 8.21.1 or later, which counts empty fragments toward the limit and reduces the default values of the maxBufferedChunks and maxFragments options (fix commit f197ac65140920bdcecdab74bfc69c2d7858e55d; release notes at https://github.com/websockets/ws/releases/tag/8.21.1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all applications and services using ws library versions prior to 8.21.1 and assess production exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy