Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for websocket-driver-ruby by faye
CVE-2026-54465 (GCVE-0-2026-54465)
Vulnerability from nvd – Published: 2026-07-17 20:06 – Updated: 2026-07-17 20:06
VLAI
EPSS
VEX
Title
websocket-driver: Memory exhaustion in HTTP header parser
Summary
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/faye/websocket-driver-ruby/sec… | x_refsource_CONFIRM |
| https://github.com/faye/websocket-driver-ruby/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| faye | websocket-driver-ruby |
Affected:
< 0.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "websocket-driver-ruby",
"vendor": "faye",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:06:06.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw"
},
{
"name": "https://github.com/faye/websocket-driver-ruby/commit/17b569f232896e71d458404ccf4854f80e987710",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/faye/websocket-driver-ruby/commit/17b569f232896e71d458404ccf4854f80e987710"
}
],
"source": {
"advisory": "GHSA-8j3g-f24p-4mpw",
"discovery": "UNKNOWN"
},
"title": "websocket-driver: Memory exhaustion in HTTP header parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54465",
"datePublished": "2026-07-17T20:06:06.980Z",
"dateReserved": "2026-06-15T15:30:40.319Z",
"dateUpdated": "2026-07-17T20:06:06.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54464 (GCVE-0-2026-54464)
Vulnerability from nvd – Published: 2026-07-17 20:03 – Updated: 2026-07-17 20:03
VLAI
EPSS
VEX
Title
websocket-driver: Resource limit bypass via message compression
Summary
### Impact
If this library is used in tandem with the `permessage-deflate` extension, a
WebSocket server or client can be made to accept messages that are larger than
the configured maximum message size. This is because this limit is checked
against the message frames' length headers, which give the size of the
compressed data, not the size after decompression. This can lead to applications
accepting larger messages than expected and exceeding their intended resource
usage.
### Patches
The issue has been patched in version 0.8.1, by checking the length of messages
after they are processed by incoming extensions. All users should upgrade to
this version.
### Workarounds
No known workarounds exist.
### Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security
Research Team.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/faye/websocket-driver-ruby/sec… | x_refsource_CONFIRM |
| https://github.com/faye/websocket-driver-ruby/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| faye | websocket-driver-ruby |
Affected:
< 0.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "websocket-driver-ruby",
"vendor": "faye",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "### Impact\n\nIf this library is used in tandem with the `permessage-deflate` extension, a\nWebSocket server or client can be made to accept messages that are larger than\nthe configured maximum message size. This is because this limit is checked\nagainst the message frames\u0027 length headers, which give the size of the\ncompressed data, not the size after decompression. This can lead to applications\naccepting larger messages than expected and exceeding their intended resource\nusage.\n\n### Patches\n\nThe issue has been patched in version 0.8.1, by checking the length of messages\nafter they are processed by incoming extensions. All users should upgrade to\nthis version.\n\n### Workarounds\n\nNo known workarounds exist.\n\n### Acknowledgements\n\nThis issue was discovered and reported by Pranjali Thakur, DepthFirst Security\nResearch Team."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:03:36.326Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj"
},
{
"name": "https://github.com/faye/websocket-driver-ruby/commit/fa8641724f10bf3273585f1dcf9041f540bbd036",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/faye/websocket-driver-ruby/commit/fa8641724f10bf3273585f1dcf9041f540bbd036"
}
],
"source": {
"advisory": "GHSA-33ph-fccm-39pj",
"discovery": "UNKNOWN"
},
"title": "websocket-driver: Resource limit bypass via message compression"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54464",
"datePublished": "2026-07-17T20:03:36.326Z",
"dateReserved": "2026-06-15T15:30:40.319Z",
"dateUpdated": "2026-07-17T20:03:36.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54463 (GCVE-0-2026-54463)
Vulnerability from nvd – Published: 2026-07-17 20:05 – Updated: 2026-07-17 20:05
VLAI
EPSS
VEX
Title
websocket-driver: Memory exhaustion via abuse of protocol length headers
Summary
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/faye/websocket-driver-ruby/sec… | x_refsource_CONFIRM |
| https://github.com/faye/websocket-driver-ruby/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| faye | websocket-driver-ruby |
Affected:
< 0.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "websocket-driver-ruby",
"vendor": "faye",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:05:17.888Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p"
},
{
"name": "https://github.com/faye/websocket-driver-ruby/commit/d0141f041f6e3677a951255d547a313e732ccbe0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/faye/websocket-driver-ruby/commit/d0141f041f6e3677a951255d547a313e732ccbe0"
}
],
"source": {
"advisory": "GHSA-ghhp-3qvg-889p",
"discovery": "UNKNOWN"
},
"title": "websocket-driver: Memory exhaustion via abuse of protocol length headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54463",
"datePublished": "2026-07-17T20:05:17.888Z",
"dateReserved": "2026-06-15T15:30:40.319Z",
"dateUpdated": "2026-07-17T20:05:17.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54465 (GCVE-0-2026-54465)
Vulnerability from cvelistv5 – Published: 2026-07-17 20:06 – Updated: 2026-07-17 20:06
VLAI
EPSS
VEX
Title
websocket-driver: Memory exhaustion in HTTP header parser
Summary
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/faye/websocket-driver-ruby/sec… | x_refsource_CONFIRM |
| https://github.com/faye/websocket-driver-ruby/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| faye | websocket-driver-ruby |
Affected:
< 0.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "websocket-driver-ruby",
"vendor": "faye",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:06:06.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw"
},
{
"name": "https://github.com/faye/websocket-driver-ruby/commit/17b569f232896e71d458404ccf4854f80e987710",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/faye/websocket-driver-ruby/commit/17b569f232896e71d458404ccf4854f80e987710"
}
],
"source": {
"advisory": "GHSA-8j3g-f24p-4mpw",
"discovery": "UNKNOWN"
},
"title": "websocket-driver: Memory exhaustion in HTTP header parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54465",
"datePublished": "2026-07-17T20:06:06.980Z",
"dateReserved": "2026-06-15T15:30:40.319Z",
"dateUpdated": "2026-07-17T20:06:06.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54463 (GCVE-0-2026-54463)
Vulnerability from cvelistv5 – Published: 2026-07-17 20:05 – Updated: 2026-07-17 20:05
VLAI
EPSS
VEX
Title
websocket-driver: Memory exhaustion via abuse of protocol length headers
Summary
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/faye/websocket-driver-ruby/sec… | x_refsource_CONFIRM |
| https://github.com/faye/websocket-driver-ruby/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| faye | websocket-driver-ruby |
Affected:
< 0.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "websocket-driver-ruby",
"vendor": "faye",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:05:17.888Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p"
},
{
"name": "https://github.com/faye/websocket-driver-ruby/commit/d0141f041f6e3677a951255d547a313e732ccbe0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/faye/websocket-driver-ruby/commit/d0141f041f6e3677a951255d547a313e732ccbe0"
}
],
"source": {
"advisory": "GHSA-ghhp-3qvg-889p",
"discovery": "UNKNOWN"
},
"title": "websocket-driver: Memory exhaustion via abuse of protocol length headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54463",
"datePublished": "2026-07-17T20:05:17.888Z",
"dateReserved": "2026-06-15T15:30:40.319Z",
"dateUpdated": "2026-07-17T20:05:17.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54464 (GCVE-0-2026-54464)
Vulnerability from cvelistv5 – Published: 2026-07-17 20:03 – Updated: 2026-07-17 20:03
VLAI
EPSS
VEX
Title
websocket-driver: Resource limit bypass via message compression
Summary
### Impact
If this library is used in tandem with the `permessage-deflate` extension, a
WebSocket server or client can be made to accept messages that are larger than
the configured maximum message size. This is because this limit is checked
against the message frames' length headers, which give the size of the
compressed data, not the size after decompression. This can lead to applications
accepting larger messages than expected and exceeding their intended resource
usage.
### Patches
The issue has been patched in version 0.8.1, by checking the length of messages
after they are processed by incoming extensions. All users should upgrade to
this version.
### Workarounds
No known workarounds exist.
### Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security
Research Team.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/faye/websocket-driver-ruby/sec… | x_refsource_CONFIRM |
| https://github.com/faye/websocket-driver-ruby/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| faye | websocket-driver-ruby |
Affected:
< 0.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "websocket-driver-ruby",
"vendor": "faye",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "### Impact\n\nIf this library is used in tandem with the `permessage-deflate` extension, a\nWebSocket server or client can be made to accept messages that are larger than\nthe configured maximum message size. This is because this limit is checked\nagainst the message frames\u0027 length headers, which give the size of the\ncompressed data, not the size after decompression. This can lead to applications\naccepting larger messages than expected and exceeding their intended resource\nusage.\n\n### Patches\n\nThe issue has been patched in version 0.8.1, by checking the length of messages\nafter they are processed by incoming extensions. All users should upgrade to\nthis version.\n\n### Workarounds\n\nNo known workarounds exist.\n\n### Acknowledgements\n\nThis issue was discovered and reported by Pranjali Thakur, DepthFirst Security\nResearch Team."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:03:36.326Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-33ph-fccm-39pj"
},
{
"name": "https://github.com/faye/websocket-driver-ruby/commit/fa8641724f10bf3273585f1dcf9041f540bbd036",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/faye/websocket-driver-ruby/commit/fa8641724f10bf3273585f1dcf9041f540bbd036"
}
],
"source": {
"advisory": "GHSA-33ph-fccm-39pj",
"discovery": "UNKNOWN"
},
"title": "websocket-driver: Resource limit bypass via message compression"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54464",
"datePublished": "2026-07-17T20:03:36.326Z",
"dateReserved": "2026-06-15T15:30:40.319Z",
"dateUpdated": "2026-07-17T20:03:36.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}