CVE-2026-54463

NameCVE-2026-54463
Descriptionwebsocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-websocket-driver (PTS)bookworm, bullseye, trixie0.6.3-3vulnerable
forky0.8.1-1fixed
sid0.8.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-websocket-driversource(unstable)0.8.1-1

Notes

https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-ghhp-3qvg-889p
Fixed by: https://github.com/faye/websocket-driver-ruby/commit/d0141f041f6e3677a951255d547a313e732ccbe0 (0.8.1)

Search for package or bug name: Reporting problems