CVE-2026-54490 in websocket-driverinfo

Summary

by MITRE • 07/18/2026

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, if this library is used with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size because the limit is checked against the message frames' length headers, which give the size of the compressed data, not the size after decompression in lib/websocket/driver/hybi.js. This can lead to applications accepting larger messages than expected and exceeding their intended resource usage. This issue is fixed in version 0.7.5.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/18/2026

The websocket-driver library represents a critical vulnerability in WebSocket protocol handling that affects applications relying on the permessage-deflate extension for compression. This flaw exists in versions prior to 0.7.5 where the library fails to properly validate message sizes when decompressing data, creating a significant security gap in resource management. The vulnerability stems from a fundamental misunderstanding of how compressed data should be measured against configured limits, specifically when dealing with the hybi.js implementation that handles WebSocket protocol compliance.

The technical flaw manifests when applications configure maximum message size limits to prevent resource exhaustion attacks. However, due to the improper validation mechanism, these limits are enforced against compressed data frame lengths rather than the actual decompressed content size. This means that an attacker can craft malicious messages that appear small in their compressed form but expand significantly once decompressed by the websocket-driver library. The permessage-deflate extension, designed to optimize network usage through compression, becomes a vector for resource exhaustion attacks when this validation bypass occurs.

The operational impact of this vulnerability extends beyond simple denial-of-service conditions to potentially enable more sophisticated attacks targeting application memory and processing resources. When applications accept messages larger than their intended limits, they become vulnerable to memory exhaustion attacks that can cause crashes, performance degradation, or even system instability. The issue affects both WebSocket servers and clients equally, meaning any application using this library with compression enabled could be compromised. This vulnerability directly relates to CWE-129 and CWE-131 in the Common Weakness Enumeration catalog, which address insufficient input validation and improper handling of resource limits.

Attackers can exploit this weakness by sending carefully crafted compressed messages that appear below the configured size threshold but decompress to exceed memory allocation limits. The ATT&CK framework categorizes this as a resource exhaustion technique where attackers manipulate system resources through protocol-level vulnerabilities. The vulnerability allows for bypassing expected security controls and can be particularly dangerous in environments with limited memory resources or applications that do not implement additional protective measures beyond the library's built-in limits.

The fix implemented in version 0.7.5 addresses this by ensuring that message size validation occurs against the decompressed content rather than the compressed frame headers. This change aligns with proper WebSocket protocol implementation standards and ensures that resource limits are enforced correctly regardless of compression state. Organizations using websocket-driver should immediately upgrade to version 0.7.5 or later to mitigate this risk, while also reviewing their application configurations to ensure appropriate message size limits are in place. The vulnerability demonstrates the importance of thorough protocol validation and proper handling of compressed data in network security implementations.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!