Skip to content

Commit 12baec0

Browse files
authored
Merge pull request #1162 from jasnow/websocket-driver-advs
Four websocket-driver advisories @simi - Thanks for reviewing my PR.
2 parents 86ef68c + 91d5ea8 commit 12baec0

4 files changed

Lines changed: 143 additions & 0 deletions

File tree

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
---
2+
gem: websocket-driver
3+
cve: 2026-54463
4+
ghsa: ghhp-3qvg-889p
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
6+
title: Memory exhaustion via abuse of protocol length headers
7+
date: 2026-06-04
8+
description: |
9+
## Impact
10+
11+
The frame format in draft versions of the WebSocket protocol includes
12+
a length header that allows an arbitrarily large integer to be encoded
13+
as a sequence of bytes with the high bit set. By sending an indefinite
14+
sequence of bytes with values 0x80 or above, a server or client can
15+
make the other peer parse these bytes into an ever-growing integer.
16+
Since Ruby integers are arbitrary precision, this can be used to make
17+
a WebSocket connection consume an unbounded amount of memory and
18+
lead to the host process running out of memory.
19+
20+
## Acknowledgements
21+
22+
This issue was discovered and reported by Pranjali Thakur,
23+
DepthFirst Security Research Team.
24+
cvss_v4: 6.9
25+
patched_versions:
26+
- ">= 0.8.1"
27+
related:
28+
url:
29+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54463
30+
- https://rubygems.org/gems/websocket-driver/versions/0.8.1
31+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
32+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p
33+
notes: |
34+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
35+
- date value from CHANGELOG URL.
36+
- cvss_v4 value came from GHSA.
37+
- CVE is reserved, but not published.
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
gem: websocket-driver
3+
cve: 2026-54464
4+
ghsa: 33ph-fccm-39pj
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
6+
title: Resource limit bypass via message compression
7+
date: 2026-06-04
8+
description: |
9+
## Impact
10+
11+
If this library is used in tandem with the permessage-deflate extension,
12+
a WebSocket server or client can be made to accept messages that are
13+
larger than the configured maximum message size. This is because this
14+
limit is checked against the message frames' length headers, which
15+
give the size of the compressed data, not the size after decompression.
16+
This can lead to applications accepting larger messages than expected
17+
and exceeding their intended resource usage.
18+
19+
## Acknowledgements
20+
21+
This issue was discovered and reported by Pranjali Thakur,
22+
DepthFirst Security Research Team.
23+
cvss_v4: 6.3
24+
patched_versions:
25+
- ">= 0.8.1"
26+
related:
27+
url:
28+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54464
29+
- https://rubygems.org/gems/websocket-driver/versions/0.8.1
30+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
31+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj
32+
notes: |
33+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
34+
- date value from CHANGELOG URL.
35+
- cvss_v4 value came from GHSA.
36+
- CVE is reserved, but not published.
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
gem: websocket-driver
3+
cve: 2026-54465
4+
ghsa: 8j3g-f24p-4mpw
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
6+
title: Memory exhaustion in HTTP header parser
7+
date: 2026-06-04
8+
description: |
9+
## Impact
10+
11+
If this library is used to implement a WebSocket server on top of a
12+
TCP server (rather than an HTTP server or framework) using the
13+
WebSocket::Driver.server() method, or, if it is used to complement
14+
a WebSocket client, then a peer can make a single connection consume
15+
an unbounded amount of memory by sending an HTTP request or response
16+
with a never-ending list of headers. This can lead to the receiving
17+
process running out of memory.
18+
19+
## Acknowledgements
20+
21+
This issue was discovered and reported by Pranjali Thakur,
22+
DepthFirst Security Research Team.
23+
cvss_v4: 8.3
24+
patched_versions:
25+
- ">= 0.8.1"
26+
related:
27+
url:
28+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465
29+
- https://rubygems.org/gems/websocket-driver/versions/0.8.1
30+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#081--2026-06-04
31+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw
32+
notes: |
33+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
34+
- date value from CHANGELOG URL.
35+
- cvss_v4 value came from GHSA.
36+
- CVE is reserved, but not published.
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
gem: websocket-driver
3+
ghsa: 2x63-gw47-w4mm
4+
url: https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
5+
title: Denial of service via malformed Host header
6+
date: 2026-06-23
7+
description: |
8+
## Impact
9+
10+
If this library is used to implement a WebSocket server on top of a
11+
TCP server, by using the WebSocket::Driver.server() method, then a
12+
client can cause the server to crash by sending a Host header that
13+
is not a valid host[:port] string. When this happens, a URI::InvalidURIError
14+
exception is raised which is not caught, and this can cause the server
15+
process to crash if the application does not catch the error from
16+
the parse() method itself.
17+
18+
## Acknowledgements
19+
20+
This issue was discovered and reported by Pranjali Thakur,
21+
DepthFirst Security Research Team.
22+
cvss_v4: 8.9
23+
patched_versions:
24+
- ">= 0.8.2"
25+
related:
26+
url:
27+
- https://rubygems.org/gems/websocket-driver/versions/0.8.2
28+
- https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md#082--2026-06-23
29+
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
30+
notes: |
31+
- NOTE: Gem name is websocket-driver but repo name is websocket-driver-ruby.
32+
- date value from CHANGELOG URL.
33+
- cvss_v4 value came from GHSA.
34+
- No CVE, so no non-GHSA cvss values.

0 commit comments

Comments
 (0)