File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ gem : websocket-driver
3+ cve : 2026-54463
4+ ghsa : ghhp-3qvg-889p
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
6+ title : Memory exhaustion via abuse of protocol length headers
7+ date : 2026-06-04
8+ description : |
9+ ## Impact
10+
11+ The frame format in draft versions of the WebSocket protocol includes
12+ a length header that allows an arbitrarily large integer to be encoded
13+ as a sequence of bytes with the high bit set. By sending an indefinite
14+ sequence of bytes with values 0x80 or above, a server or client can
15+ make the other peer parse these bytes into an ever-growing integer.
16+ Since Ruby integers are arbitrary precision, this can be used to make
17+ a WebSocket connection consume an unbounded amount of memory and
18+ lead to the host process running out of memory.
19+
20+ ## Acknowledgements
21+
22+ This issue was discovered and reported by Pranjali Thakur,
23+ DepthFirst Security Research Team.
24+ cvss_v4 : 6.9
25+ patched_versions :
26+ - " >= 0.8.1"
27+ related :
28+ url :
29+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
30+ - https://rubygems.org/gems/websocket-driver/versions/0.8.1
31+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
32+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p
33+ notes : |
34+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
35+ - date value from CHANGELOG URL.
36+ - cvss_v4 value came from GHSA.
37+ - CVE is reserved, but not published.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : websocket-driver
3+ cve : 2026-54464
4+ ghsa : 33ph-fccm-39pj
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
6+ title : Resource limit bypass via message compression
7+ date : 2026-06-04
8+ description : |
9+ ## Impact
10+
11+ If this library is used in tandem with the permessage-deflate extension,
12+ a WebSocket server or client can be made to accept messages that are
13+ larger than the configured maximum message size. This is because this
14+ limit is checked against the message frames' length headers, which
15+ give the size of the compressed data, not the size after decompression.
16+ This can lead to applications accepting larger messages than expected
17+ and exceeding their intended resource usage.
18+
19+ ## Acknowledgements
20+
21+ This issue was discovered and reported by Pranjali Thakur,
22+ DepthFirst Security Research Team.
23+ cvss_v4 : 6.3
24+ patched_versions :
25+ - " >= 0.8.1"
26+ related :
27+ url :
28+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
29+ - https://rubygems.org/gems/websocket-driver/versions/0.8.1
30+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
31+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj
32+ notes : |
33+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
34+ - date value from CHANGELOG URL.
35+ - cvss_v4 value came from GHSA.
36+ - CVE is reserved, but not published.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : websocket-driver
3+ cve : 2026-54465
4+ ghsa : 8j3g-f24p-4mpw
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
6+ title : Memory exhaustion in HTTP header parser
7+ date : 2026-06-04
8+ description : |
9+ ## Impact
10+
11+ If this library is used to implement a WebSocket server on top of a
12+ TCP server (rather than an HTTP server or framework) using the
13+ WebSocket::Driver.server() method, or, if it is used to complement
14+ a WebSocket client, then a peer can make a single connection consume
15+ an unbounded amount of memory by sending an HTTP request or response
16+ with a never-ending list of headers. This can lead to the receiving
17+ process running out of memory.
18+
19+ ## Acknowledgements
20+
21+ This issue was discovered and reported by Pranjali Thakur,
22+ DepthFirst Security Research Team.
23+ cvss_v4 : 8.3
24+ patched_versions :
25+ - " >= 0.8.1"
26+ related :
27+ url :
28+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
29+ - https://rubygems.org/gems/websocket-driver/versions/0.8.1
30+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
31+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw
32+ notes : |
33+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
34+ - date value from CHANGELOG URL.
35+ - cvss_v4 value came from GHSA.
36+ - CVE is reserved, but not published.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : websocket-driver
3+ ghsa : 2x63-gw47-w4mm
4+ url : https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
5+ title : Denial of service via malformed Host header
6+ date : 2026-06-23
7+ description : |
8+ ## Impact
9+
10+ If this library is used to implement a WebSocket server on top of a
11+ TCP server, by using the WebSocket::Driver.server() method, then a
12+ client can cause the server to crash by sending a Host header that
13+ is not a valid host[:port] string. When this happens, a URI::InvalidURIError
14+ exception is raised which is not caught, and this can cause the server
15+ process to crash if the application does not catch the error from
16+ the parse() method itself.
17+
18+ ## Acknowledgements
19+
20+ This issue was discovered and reported by Pranjali Thakur,
21+ DepthFirst Security Research Team.
22+ cvss_v4 : 8.9
23+ patched_versions :
24+ - " >= 0.8.2"
25+ related :
26+ url :
27+ - https://rubygems.org/gems/websocket-driver/versions/0.8.2
28+ - https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#082--2026-06-23
29+ - https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
30+ notes : |
31+ - NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
32+ - date value from CHANGELOG URL.
33+ - cvss_v4 value came from GHSA.
34+ - No CVE, so no non-GHSA cvss values.
You can’t perform that action at this time.
0 commit comments