
PEACH
Un cadre d’isolation des locataires
CVE-2026-54490 is a resource limit bypass vulnerability in the websocket-driver npm package (used in the faye/websocket-driver-node library) that allows WebSocket messages exceeding the configured maximum size to be accepted when the permessage-deflate compression extension is enabled. The flaw affects all versions of websocket-driver prior to 0.7.5. It was discovered by Pranjali Thakur of the DepthFirst Security Research Team, first published on June 4, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).
The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The library enforces its maximum message size limit by checking the length field in WebSocket frame headers, which reflects the size of the compressed payload rather than the decompressed content. When the permessage-deflate extension is active, an attacker can craft highly compressible messages whose compressed size falls within the configured limit but whose decompressed size far exceeds it — a form of decompression bomb or data expansion attack (related to CAPEC-197: Exponential Data Expansion). The fix in version 0.7.5 corrects this by evaluating message length after processing by incoming extensions, ensuring the decompressed size is what is checked against the limit (GitHub Advisory, Security Advisory).
Successful exploitation causes affected WebSocket servers or clients to accept and process messages significantly larger than their configured maximum, leading to excessive memory and CPU consumption. This results in a degraded or unavailable service (availability impact), potentially causing application crashes or denial-of-service conditions for other connected users. There is no confidentiality or integrity impact — the vulnerability is limited to resource exhaustion on both the vulnerable system and any downstream systems it interacts with (GitHub Advisory).
websocket-driver npm package (version < 0.7.5) with the permessage-deflate compression extension enabled.permessage-deflate extension during the WebSocket handshake (via the Sec-WebSocket-Extensions header).permessage-deflate extension with small compressed frame sizes but high frequency or volume; repeated connections from the same source IP to WebSocket endpoints.The vendor has released a patched version: websocket-driver 0.7.5, which fixes the issue by checking message length after decompression by incoming extensions. All users should upgrade immediately by running npm install websocket-driver@0.7.5 or updating their package.json dependency. No configuration-based workarounds are available; the only remediation is upgrading to the patched version (GitHub Advisory, Release 0.7.5).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."