Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, no authentication or interaction, and trivial to trigger (AV:N/AC:L/PR:N/UI:N); impact is availability-only heap exhaustion, so C:N/I:N/A:H with unchanged scope.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0 followed by continuation frames without completing the sequence, causing each fragment to be stored as a separate Buffer object with significant overhead, enabling denial of service through heap exhaustion.
AnalysisAI
Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target run a ws server (version before 8.21.1) that accepts WebSocket connections and permits fragmented data messages - the default configuration, since the pre-patch defaults for maxFragments/maxBufferedChunks were high enough to allow substantial accumulation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine availability risk but strictly a denial-of-service issue - the supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with VA:H and VC/VI:N confirms a network-reachable, no-authentication, low-complexity attack that impacts only availability, consistent with the CWE-770 classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a WebSocket connection to an internet-facing Node.js service running a pre-8.21.1 ws server, sends a text frame with FIN=0, and then streams a long series of continuation frames (including empty ones) without ever sending a final frame. Because each fragment is buffered as a separate Buffer and the count guard never trips, the server's heap grows until the Node process is killed by the out-of-memory handler; repeating this across a few connections amplifies the effect. … |
| Remediation | Vendor-released patch: upgrade ws to version 8.21.1 or later, which counts empty fragments toward the limit and reduces the default values of the maxBufferedChunks and maxFragments options (fix commit f197ac65140920bdcecdab74bfc69c2d7858e55d; release notes at https://github.com/websockets/ws/releases/tag/8.21.1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all applications and services using ws library versions prior to 8.21.1 and assess production exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerabili
Uninitialized memory disclosure in the ws WebSocket library for Node.js (versions 8.0.0 through 8.20.0) allows a connect
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44729
GHSA-73jw-fp74-p77x