CVE-2026-54465

NameCVE-2026-54465
Descriptionwebsocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-websocket-driver (PTS)bookworm, bullseye, trixie0.6.3-3vulnerable
forky0.8.1-1fixed
sid0.8.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-websocket-driversource(unstable)0.8.1-1

Notes

https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw
Fixed by: https://github.com/faye/websocket-driver-ruby/commit/17b569f232896e71d458404ccf4854f80e987710 (0.8.1)

Search for package or bug name: Reporting problems