WebSocket Protocol Handler Vulnerability in websocket-driver by Faye
CVE-2026-54490

6.3MEDIUM

Key Information:

Vendor

Faye

Vendor
CVE Published:
17 July 2026

What is CVE-2026-54490?

The websocket-driver library, used for handling WebSocket protocols, contains an issue where the permessage-deflate extension allows servers and clients to accept messages exceeding the configured maximum size. This occurs because the library incorrectly checks the size limit against the lengths of compressed data frames rather than the decompressed message size, potentially leading to significant increases in resource consumption during message processing. This vulnerability has been addressed in version 0.7.5.

Affected Version(s)

websocket-driver-node < 0.7.5

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.