HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48779Published Modified CNA GitHub_M

CVE-2026-48779: ws: Memory exhaustion DoS from tiny fragments and data chunks

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Memory exhaustion denial-of-service vulnerability in the ws WebSocket library for Node.js. An attacker reachable over the network, with no authentication required, can send a high volume of tiny WebSocket fragments and data chunks that force the receiving process to allocate structural wrappers far exceeding the documented message-size limit, eventually crashing the process due to out-of-memory conditions. Patched-image rebuilds at ws versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48779 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI pipelines, including custom-built images that bundle ws as a transitive dependency.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and is capable of applying per-environment compliance policy weighting to adjust urgency before routing findings to the appropriate team inbox inside each customer organization.

Available
Patch

Because fix versions exist (5.2.5, 6.2.4, 7.5.11, and 8.21.0), a patched-image rebuild targeting the applicable fixed version is available on HarborGuard for any environment found running an affected release. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests against the updated image, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the target ws server or client over the network and establish a WebSocket connection to it.

  • AuthenticationNot required

    No credentials or prior authentication are needed; any peer that can open a WebSocket connection can trigger the condition.

  • Victim interactionNot required

    No user action is required; the server processes incoming WebSocket frames passively and accumulates memory without any victim clicking or approving anything.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply sends a sustained stream of minimal fragments and the memory growth follows deterministically.

Blast Radius

  • The targeted Node.js process exhausts available memory and is terminated by the operating system OOM killer, taking down all in-process request handling.
  • Any in-flight WebSocket sessions handled by the same process are dropped without graceful shutdown, severing real-time connections for all connected clients.
  • If the ws server runs inside a single-replica deployment with no auto-restart, the service becomes fully unavailable until the process is manually restarted or a watchdog revives it.
  • No confidential data is read and no persistent data is modified; impact is limited to availability.

How HarborGuard Handles This

Available on HarborGuard: images containing any affected ws version range (>=1.1.0 <5.2.5, >=6.0.0 <6.2.4, >=7.0.0 <7.5.11, >=8.0.0 <8.21.0) are flagged as soon as the CVE matches during a scan cycle. A patched-image rebuild pinned to the correct fix version is available for each detected branch. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs a regression test suite against it, and opens a pull request against the affected workload, with a median time from CVE publication to merged patch PR of around 90 minutes for HIGH-severity issues in environments with auto-remediation enabled. Customers not using auto-remediation will see the finding surfaced in their HarborGuard dashboard with the target fix version noted, so engineering teams can apply the update manually. While awaiting any deployment, a practical compensating control is to enforce WebSocket connection limits and fragment-count caps at the load balancer or ingress layer to reduce the volume of fragments any single peer can deliver.

See how HarborGuard automates this
Affected packages
  • websockets / ws
    >= 1.1.0, < 5.2.5 · >= 6.0.0, < 6.2.4 · >= 7.0.0, < 7.5.11 · >= 8.0.0, < 8.21.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References