CVE-2026-48779
HIGH 7.5ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.8%chance of exploitation in 30 days · 51st percentile
Impact if exploited
7.5CVSS 3.1 · HIGH
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Vendors Websockets Red Hat
Products Ws Red Hat Developer Hub 1.9 Red Hat Discovery 2 Red Hat Openshift Service Mesh 2.6 Red Hat Openshift Service Mesh 3.0 Red Hat Openshift Service Mesh 3.1 Red Hat Openshift Service Mesh 3.2 Red Hat Openshift Service Mesh 3.3
Weakness (CWE)
- CWE-400: Uncontrolled resource consumption
- CWE-770: Allocation without limits
- CWE-1050
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Advisories
Technical & other
- https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
- https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
- https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
- https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
- https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
- https://access.redhat.com/security/cve/CVE-2026-48779
- https://bugzilla.redhat.com/show_bug.cgi?id=2489661
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48779.json