CVE-2026-48779

Name of the Vulnerable Software and Affected Versions ws versions 1.1.0 through 5.2.4 ws versions 6.0.0 through 6.2.3 ws versions 7.0.0 through 7.5.10 ws versions 8.0.0 through 8.20.9

Description ws is an open source WebSocket client and server for Node.js. A peer can send a high volume of exceptionally small fragments and data chunks using modest network traffic to force the remote peer to allocate and hold structural wrappers. These wrappers consume significantly more memory than the default documented message-size limit, which can lead to process termination due to Out of Memory (OOM), a state where the system cannot allocate more memory to a process. This results in a memory exhaustion Denial of Service (DoS).

Recommendations Update versions 1.1.0 through 5.2.4 to 5.2.5. Update versions 6.0.0 through 6.2.3 to 6.2.4. Update versions 7.0.0 through 7.5.10 to 7.5.11. Update versions 8.0.0 through 8.20.9 to 8.21.0. As a mitigation measure, lower the value of the maxPayload option.