CVE-2026-54490
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-54490 is a resource limit bypass vulnerability in the websocket-driver npm package (used in the faye/websocket-driver-node library) that allows WebSocket messages exceeding the configured maximum size to be accepted when the permessage-deflate compression extension is enabled. The flaw affects all versions of websocket-driver prior to 0.7.5. It was discovered by Pranjali Thakur of the DepthFirst Security Research Team, first published on June 4, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).

Détails techniques

The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The library enforces its maximum message size limit by checking the length field in WebSocket frame headers, which reflects the size of the compressed payload rather than the decompressed content. When the permessage-deflate extension is active, an attacker can craft highly compressible messages whose compressed size falls within the configured limit but whose decompressed size far exceeds it — a form of decompression bomb or data expansion attack (related to CAPEC-197: Exponential Data Expansion). The fix in version 0.7.5 corrects this by evaluating message length after processing by incoming extensions, ensuring the decompressed size is what is checked against the limit (GitHub Advisory, Security Advisory).

Impact

Successful exploitation causes affected WebSocket servers or clients to accept and process messages significantly larger than their configured maximum, leading to excessive memory and CPU consumption. This results in a degraded or unavailable service (availability impact), potentially causing application crashes or denial-of-service conditions for other connected users. There is no confidentiality or integrity impact — the vulnerability is limited to resource exhaustion on both the vulnerable system and any downstream systems it interacts with (GitHub Advisory).

Étapes d’exploitation

  1. Identify target: Locate a WebSocket server or client application using the websocket-driver npm package (version < 0.7.5) with the permessage-deflate compression extension enabled.
  2. Establish WebSocket connection: Connect to the target WebSocket endpoint and negotiate the permessage-deflate extension during the WebSocket handshake (via the Sec-WebSocket-Extensions header).
  3. Craft decompression bomb payload: Construct a message consisting of highly repetitive or compressible data (e.g., a large string of repeated characters) that compresses to a size below the server's configured maximum message size limit.
  4. Send compressed message: Transmit the crafted compressed WebSocket frame to the target. The server checks the frame's length header (compressed size), which passes the limit check, and then decompresses the payload into a much larger in-memory buffer.
  5. Exhaust resources: Repeat the process with multiple connections or messages to amplify memory and CPU consumption, potentially causing service degradation or denial of service (GitHub Advisory, Security Advisory).

Indicateurs de compromis

  • Network: Unusual WebSocket connections negotiating permessage-deflate extension with small compressed frame sizes but high frequency or volume; repeated connections from the same source IP to WebSocket endpoints.
  • Logs: Application logs showing memory allocation errors, out-of-memory exceptions, or unusually large message processing times for WebSocket connections; Node.js process logs indicating heap size growth.
  • Process: Node.js process exhibiting abnormally high memory usage or CPU consumption correlated with WebSocket activity; process crashes or restarts due to memory exhaustion.

Atténuation et solutions de contournement

The vendor has released a patched version: websocket-driver 0.7.5, which fixes the issue by checking message length after decompression by incoming extensions. All users should upgrade immediately by running npm install websocket-driver@0.7.5 or updating their package.json dependency. No configuration-based workarounds are available; the only remediation is upgrading to the patched version (GitHub Advisory, Release 0.7.5).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54504HIGH8.8
  • JavaScript logoJavaScript
  • @andrea9293/mcp-documentation-server
NonOuiJul 15, 2026
CVE-2026-50289HIGH8.7
  • JavaScript logoJavaScript
  • systeminformation
NonOuiJul 15, 2026
CVE-2026-48795HIGH8.6
  • JavaScript logoJavaScript
  • @adonisjs/bodyparser
NonOuiJul 15, 2026
CVE-2026-50272HIGH7.5
  • JavaScript logoJavaScript
  • dd-trace
NonOuiJul 15, 2026
CVE-2026-54490MEDIUM6.3
  • JavaScript logoJavaScript
  • websocket-driver
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités