Memory Exhaustion Vulnerability in ws WebSocket Library
CVE-2026-62389
8.7HIGH
What is CVE-2026-62389?
The ws library prior to version 8.21.1 is vulnerable to a memory exhaustion attack due to improper handling of fragmented WebSocket messages. This vulnerability arises in the lib/receiver.js component, where the fragmentation guard does not activate until the fragment count reaches a set maximum. Attackers can exploit this by sending incomplete fragmented messages, including a text frame with FIN=0 followed by multiple continuation frames without completing the sequence. Consequently, each incomplete fragment occupies memory as a separate Buffer object, leading to increased memory consumption and potential Denial of Service (DoS) by exhausting server resources.
Affected Version(s)
ws 0 < 8.21.1
