Skip to content

Commit 6fce610

Browse files
jasnowRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@12baec0
1 parent 869b238 commit 6fce610

4 files changed

Lines changed: 173 additions & 0 deletions

File tree

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54463 (websocket-driver): Memory exhaustion via abuse of protocol
4+
length headers'
5+
comments: false
6+
categories:
7+
- websocket-driver
8+
advisory:
9+
gem: websocket-driver
10+
cve: 2026-54463
11+
ghsa: ghhp-3qvg-889p
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
13+
title: Memory exhaustion via abuse of protocol length headers
14+
date: 2026-06-04
15+
description: |-
16+
## Impact
17+
18+
The frame format in draft versions of the WebSocket protocol includes
19+
a length header that allows an arbitrarily large integer to be encoded
20+
as a sequence of bytes with the high bit set. By sending an indefinite
21+
sequence of bytes with values 0x80 or above, a server or client can
22+
make the other peer parse these bytes into an ever-growing integer.
23+
Since Ruby integers are arbitrary precision, this can be used to make
24+
a WebSocket connection consume an unbounded amount of memory and
25+
lead to the host process running out of memory.
26+
27+
## Acknowledgements
28+
29+
This issue was discovered and reported by Pranjali Thakur,
30+
DepthFirst Security Research Team.
31+
cvss_v4: 6.9
32+
patched_versions:
33+
- ">= 0.8.1"
34+
related:
35+
url:
36+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
37+
- https://rubygems.org/gems/websocket-driver/versions/0.8.1
38+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
39+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p
40+
notes: |
41+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
42+
- date value from CHANGELOG URL.
43+
- cvss_v4 value came from GHSA.
44+
- CVE is reserved, but not published.
45+
---
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54464 (websocket-driver): Resource limit bypass via message compression'
4+
comments: false
5+
categories:
6+
- websocket-driver
7+
advisory:
8+
gem: websocket-driver
9+
cve: 2026-54464
10+
ghsa: 33ph-fccm-39pj
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
12+
title: Resource limit bypass via message compression
13+
date: 2026-06-04
14+
description: |-
15+
## Impact
16+
17+
If this library is used in tandem with the permessage-deflate extension,
18+
a WebSocket server or client can be made to accept messages that are
19+
larger than the configured maximum message size. This is because this
20+
limit is checked against the message frames' length headers, which
21+
give the size of the compressed data, not the size after decompression.
22+
This can lead to applications accepting larger messages than expected
23+
and exceeding their intended resource usage.
24+
25+
## Acknowledgements
26+
27+
This issue was discovered and reported by Pranjali Thakur,
28+
DepthFirst Security Research Team.
29+
cvss_v4: 6.3
30+
patched_versions:
31+
- ">= 0.8.1"
32+
related:
33+
url:
34+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
35+
- https://rubygems.org/gems/websocket-driver/versions/0.8.1
36+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
37+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj
38+
notes: |
39+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
40+
- date value from CHANGELOG URL.
41+
- cvss_v4 value came from GHSA.
42+
- CVE is reserved, but not published.
43+
---
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54465 (websocket-driver): Memory exhaustion in HTTP header parser'
4+
comments: false
5+
categories:
6+
- websocket-driver
7+
advisory:
8+
gem: websocket-driver
9+
cve: 2026-54465
10+
ghsa: 8j3g-f24p-4mpw
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
12+
title: Memory exhaustion in HTTP header parser
13+
date: 2026-06-04
14+
description: |-
15+
## Impact
16+
17+
If this library is used to implement a WebSocket server on top of a
18+
TCP server (rather than an HTTP server or framework) using the
19+
WebSocket::Driver.server() method, or, if it is used to complement
20+
a WebSocket client, then a peer can make a single connection consume
21+
an unbounded amount of memory by sending an HTTP request or response
22+
with a never-ending list of headers. This can lead to the receiving
23+
process running out of memory.
24+
25+
## Acknowledgements
26+
27+
This issue was discovered and reported by Pranjali Thakur,
28+
DepthFirst Security Research Team.
29+
cvss_v4: 8.3
30+
patched_versions:
31+
- ">= 0.8.1"
32+
related:
33+
url:
34+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
35+
- https://rubygems.org/gems/websocket-driver/versions/0.8.1
36+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
37+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw
38+
notes: |
39+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
40+
- date value from CHANGELOG URL.
41+
- cvss_v4 value came from GHSA.
42+
- CVE is reserved, but not published.
43+
---
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-2x63-gw47-w4mm (websocket-driver): Denial of service via malformed Host
4+
header'
5+
comments: false
6+
categories:
7+
- websocket-driver
8+
advisory:
9+
gem: websocket-driver
10+
ghsa: 2x63-gw47-w4mm
11+
url: https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
12+
title: Denial of service via malformed Host header
13+
date: 2026-06-23
14+
description: |-
15+
## Impact
16+
17+
If this library is used to implement a WebSocket server on top of a
18+
TCP server, by using the WebSocket::Driver.server() method, then a
19+
client can cause the server to crash by sending a Host header that
20+
is not a valid host[:port] string. When this happens, a URI::InvalidURIError
21+
exception is raised which is not caught, and this can cause the server
22+
process to crash if the application does not catch the error from
23+
the parse() method itself.
24+
25+
## Acknowledgements
26+
27+
This issue was discovered and reported by Pranjali Thakur,
28+
DepthFirst Security Research Team.
29+
cvss_v4: 8.9
30+
patched_versions:
31+
- ">= 0.8.2"
32+
related:
33+
url:
34+
- https://rubygems.org/gems/websocket-driver/versions/0.8.2
35+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#082--2026-06-23
36+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
37+
notes: |
38+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
39+
- date value from CHANGELOG URL.
40+
- cvss_v4 value came from GHSA.
41+
- No CVE, so no non-GHSA cvss values.
42+
---

0 commit comments

Comments
 (0)