CVE-2026-48779

Source
https://cve.org/CVERecord?id=CVE-2026-48779
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48779.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48779
Aliases
Downstream
Related
Published
2026-06-16T21:26:22.537Z
Modified
2026-07-12T03:55:25.407992660Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
ws: Memory exhaustion DoS from tiny fragments and data chunks
Details

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48779.json",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/websockets/ws

Affected ranges

Type
GIT
Repo
https://github.com/websockets/ws
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:ws_project:ws:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "1.1.0"
        },
        {
            "fixed": "5.2.5"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.2.4"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.5.11"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.21.0"
        }
    ]
}

Affected versions

1.*
1.1.0
2.*
2.0.0
2.0.0-beta.0
2.0.0-beta.1
2.0.0-beta.2
2.0.1
2.0.2
2.0.3
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
3.*
3.0.0
3.1.0
3.2.0
3.3.0
3.3.1
3.3.2
3.3.3
4.*
4.0.0
4.1.0
5.*
5.0.0
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
6.*
6.0.0
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.2.0
6.2.1
6.2.2
6.2.3
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.3.0
7.3.1
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6
7.5.0
7.5.1
7.5.10
7.5.2
7.5.3
7.5.4
7.5.5
7.5.6
7.5.7
7.5.8
7.5.9
8.*
8.0.0
8.1.0
8.10.0
8.11.0
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.14.2
8.15.0
8.15.1
8.16.0
8.17.0
8.17.1
8.18.0
8.18.1
8.18.2
8.18.3
8.19.0
8.2.0
8.2.1
8.2.2
8.2.3
8.20.0
8.20.1
8.3.0
8.4.0
8.4.1
8.4.2
8.5.0
8.6.0
8.7.0
8.8.0
8.8.1
8.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48779.json"