CVE-2026-62389

Source
https://cve.org/CVERecord?id=CVE-2026-62389
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62389.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-62389
Downstream
Published
2026-07-15T17:04:26.250Z
Modified
2026-07-17T03:48:24.843382135Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
ws < 8.21.1 Default maxFragments Allows Memory Exhaustion DoS
Details

ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0 followed by continuation frames without completing the sequence, causing each fragment to be stored as a separate Buffer object with significant overhead, enabling denial of service through heap exhaustion.

Database specific
{
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/62xxx/CVE-2026-62389.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/websockets/ws

Affected ranges

Type
GIT
Repo
https://github.com/websockets/ws
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.21.1"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.4.32
0.5.0
0.6
0.6.2
0.6.3
0.6.4
0.6.5
0.7
0.7.1
0.7.2
0.8.0
0.8.1
1.*
1.0.0
1.0.1
1.1.0
2.*
2.0.0
2.0.0-beta.0
2.0.0-beta.1
2.0.0-beta.2
2.0.1
2.0.2
2.0.3
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
3.*
3.0.0
3.1.0
3.2.0
3.3.0
3.3.1
3.3.2
3.3.3
4.*
4.0.0
4.1.0
5.*
5.0.0
5.1.0
5.1.1
5.2.0
5.2.1
6.*
6.0.0
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.2.0
6.2.1
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.3.0
7.3.1
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6
7.5.0
7.5.1
7.5.2
7.5.3
8.*
8.0.0
8.1.0
8.10.0
8.11.0
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.14.2
8.15.0
8.15.1
8.16.0
8.17.0
8.17.1
8.18.0
8.18.1
8.18.2
8.18.3
8.19.0
8.2.0
8.2.1
8.2.2
8.2.3
8.20.0
8.20.1
8.21.0
8.3.0
8.4.0
8.4.1
8.4.2
8.5.0
8.6.0
8.7.0
8.8.0
8.8.1
8.9.0
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.2
v0.3.3
v0.3.4
v0.3.4-2
v0.3.5
v0.3.5-2
v0.3.5-3
v0.3.5-4
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.13
v0.4.14
v0.4.15
v0.4.16
v0.4.17
v0.4.18
v0.4.19
v0.4.2
v0.4.20
v0.4.21
v0.4.22
v0.4.23
v0.4.24
v0.4.25
v0.4.27
v0.4.28
v0.4.29
v0.4.3
v0.4.30
v0.4.31
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62389.json"