WebSocket Protocol Handling Vulnerability in Faye WebSocket Driver
CVE-2026-54466

9.2CRITICAL

Key Information:

Vendor

Faye

Vendor
CVE Published:
17 July 2026

What is CVE-2026-54466?

The Faye WebSocket Driver library is susceptible to a significant payload parsing issue due to its handling of the WebSocket protocol prior to version 0.7.5. In specific scenarios, an attacker can exploit the frame format in draft versions of the protocol, which allows them to send a continuous sequence of bytes encoded in a way that the server interprets as an ever-growing integer. This results in the loss of precision when the representation exceeds JavaScript’s inherent 64-bit floating point number capabilities, leading to malformed payload parsing. The issue has been addressed in version 0.7.5 and users are strongly advised to upgrade to this version or later to mitigate potential security risks.

Affected Version(s)

websocket-driver-node < 0.7.5

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.