File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54463 (websocket-driver): Memory exhaustion via abuse of protocol
4+ length headers'
5+ comments : false
6+ categories :
7+ - websocket-driver
8+ advisory :
9+ gem : websocket-driver
10+ cve : 2026-54463
11+ ghsa : ghhp-3qvg-889p
12+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
13+ title : Memory exhaustion via abuse of protocol length headers
14+ date : 2026-06-04
15+ description : |-
16+ ## Impact
17+
18+ The frame format in draft versions of the WebSocket protocol includes
19+ a length header that allows an arbitrarily large integer to be encoded
20+ as a sequence of bytes with the high bit set. By sending an indefinite
21+ sequence of bytes with values 0x80 or above, a server or client can
22+ make the other peer parse these bytes into an ever-growing integer.
23+ Since Ruby integers are arbitrary precision, this can be used to make
24+ a WebSocket connection consume an unbounded amount of memory and
25+ lead to the host process running out of memory.
26+
27+ ## Acknowledgements
28+
29+ This issue was discovered and reported by Pranjali Thakur,
30+ DepthFirst Security Research Team.
31+ cvss_v4 : 6.9
32+ patched_versions :
33+ - " >= 0.8.1"
34+ related :
35+ url :
36+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
37+ - https://rubygems.org/gems/websocket-driver/versions/0.8.1
38+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
39+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p
40+ notes : |
41+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
42+ - date value from CHANGELOG URL.
43+ - cvss_v4 value came from GHSA.
44+ - CVE is reserved, but not published.
45+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54464 (websocket-driver): Resource limit bypass via message compression'
4+ comments : false
5+ categories :
6+ - websocket-driver
7+ advisory :
8+ gem : websocket-driver
9+ cve : 2026-54464
10+ ghsa : 33ph-fccm-39pj
11+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
12+ title : Resource limit bypass via message compression
13+ date : 2026-06-04
14+ description : |-
15+ ## Impact
16+
17+ If this library is used in tandem with the permessage-deflate extension,
18+ a WebSocket server or client can be made to accept messages that are
19+ larger than the configured maximum message size. This is because this
20+ limit is checked against the message frames' length headers, which
21+ give the size of the compressed data, not the size after decompression.
22+ This can lead to applications accepting larger messages than expected
23+ and exceeding their intended resource usage.
24+
25+ ## Acknowledgements
26+
27+ This issue was discovered and reported by Pranjali Thakur,
28+ DepthFirst Security Research Team.
29+ cvss_v4 : 6.3
30+ patched_versions :
31+ - " >= 0.8.1"
32+ related :
33+ url :
34+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
35+ - https://rubygems.org/gems/websocket-driver/versions/0.8.1
36+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
37+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj
38+ notes : |
39+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
40+ - date value from CHANGELOG URL.
41+ - cvss_v4 value came from GHSA.
42+ - CVE is reserved, but not published.
43+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54465 (websocket-driver): Memory exhaustion in HTTP header parser'
4+ comments : false
5+ categories :
6+ - websocket-driver
7+ advisory :
8+ gem : websocket-driver
9+ cve : 2026-54465
10+ ghsa : 8j3g-f24p-4mpw
11+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
12+ title : Memory exhaustion in HTTP header parser
13+ date : 2026-06-04
14+ description : |-
15+ ## Impact
16+
17+ If this library is used to implement a WebSocket server on top of a
18+ TCP server (rather than an HTTP server or framework) using the
19+ WebSocket::Driver.server() method, or, if it is used to complement
20+ a WebSocket client, then a peer can make a single connection consume
21+ an unbounded amount of memory by sending an HTTP request or response
22+ with a never-ending list of headers. This can lead to the receiving
23+ process running out of memory.
24+
25+ ## Acknowledgements
26+
27+ This issue was discovered and reported by Pranjali Thakur,
28+ DepthFirst Security Research Team.
29+ cvss_v4 : 8.3
30+ patched_versions :
31+ - " >= 0.8.1"
32+ related :
33+ url :
34+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
35+ - https://rubygems.org/gems/websocket-driver/versions/0.8.1
36+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
37+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw
38+ notes : |
39+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
40+ - date value from CHANGELOG URL.
41+ - cvss_v4 value came from GHSA.
42+ - CVE is reserved, but not published.
43+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' GHSA-2x63-gw47-w4mm (websocket-driver): Denial of service via malformed Host
4+ header'
5+ comments : false
6+ categories :
7+ - websocket-driver
8+ advisory :
9+ gem : websocket-driver
10+ ghsa : 2x63-gw47-w4mm
11+ url : https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
12+ title : Denial of service via malformed Host header
13+ date : 2026-06-23
14+ description : |-
15+ ## Impact
16+
17+ If this library is used to implement a WebSocket server on top of a
18+ TCP server, by using the WebSocket::Driver.server() method, then a
19+ client can cause the server to crash by sending a Host header that
20+ is not a valid host[:port] string. When this happens, a URI::InvalidURIError
21+ exception is raised which is not caught, and this can cause the server
22+ process to crash if the application does not catch the error from
23+ the parse() method itself.
24+
25+ ## Acknowledgements
26+
27+ This issue was discovered and reported by Pranjali Thakur,
28+ DepthFirst Security Research Team.
29+ cvss_v4 : 8.9
30+ patched_versions :
31+ - " >= 0.8.2"
32+ related :
33+ url :
34+ - https://rubygems.org/gems/websocket-driver/versions/0.8.2
35+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#082--2026-06-23
36+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
37+ notes : |
38+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
39+ - date value from CHANGELOG URL.
40+ - cvss_v4 value came from GHSA.
41+ - No CVE, so no non-GHSA cvss values.
42+ ---
You can’t perform that action at this time.
0 commit comments