DEBIAN-CVE-2026-62389

Source
https://security-tracker.debian.org/tracker/CVE-2026-62389
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-62389.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-62389
Upstream
Published
2026-07-15T18:16:49.893Z
Modified
2026-07-16T09:00:19.583427982Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0 followed by continuation frames without completing the sequence, causing each fragment to be stored as a separate Buffer object with significant overhead, enabling denial of service through heap exhaustion.

References

Affected packages

Debian:11 / node-ws

Package

Name
node-ws
Purl
pkg:deb/debian/node-ws?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.4.2+~cs18.0.8-2
7.5.5+~cs13.0.13-1
8.*
8.5.0+~cs13.3.3-1
8.5.0+~cs13.3.3-2
8.6.0+~cs13.6.3-1
8.8.0+~cs13.6.3-1
8.8.1+~cs13.7.3-1
8.10.0+~cs13.7.3-1
8.11.0+~cs13.7.3-1
8.11.0+~cs13.7.3-2
8.18.0+~cs13.7.11-1
8.18.0+~cs14.5.15-1
8.18.1+~cs14.18.2-1
8.19.0+~cs14.19.1-1
8.20.1+~cs14.19.1-1
8.21.0+~cs14.19.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-62389.json"

Debian:12 / node-ws

Package

Name
node-ws
Purl
pkg:deb/debian/node-ws?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.11.0+~cs13.7.3-1
8.11.0+~cs13.7.3-2
8.18.0+~cs13.7.11-1
8.18.0+~cs14.5.15-1
8.18.1+~cs14.18.2-1
8.19.0+~cs14.19.1-1
8.20.1+~cs14.19.1-1
8.21.0+~cs14.19.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-62389.json"

Debian:13 / node-ws

Package

Name
node-ws
Purl
pkg:deb/debian/node-ws?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.18.1+~cs14.18.2-1
8.19.0+~cs14.19.1-1
8.20.1+~cs14.19.1-1
8.21.0+~cs14.19.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-62389.json"

Debian:14 / node-ws

Package

Name
node-ws
Purl
pkg:deb/debian/node-ws?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.18.1+~cs14.18.2-1
8.19.0+~cs14.19.1-1
8.20.1+~cs14.19.1-1
8.21.0+~cs14.19.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-62389.json"