CVE-2026-54466

NameCVE-2026-54466
Descriptionwebsocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server parse these bytes into an ever-growing integer in lib/websocket/driver/draft75.js; because JavaScript numbers are 64-bit floating point values, this number will eventually lose precision and lead to the subsequent payload being parsed incorrectly. This issue is fixed in version 0.7.5.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1142415

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-websocket-driver (PTS)bookworm, trixie0.7.4+~cs0.6.7-2vulnerable
forky, sid0.7.4+~cs0.6.14-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-websocket-driversource(unstable)(unfixed)1142415

Notes

https://github.com/faye/websocket-driver-node/security/advisories/GHSA-xv26-6w52-cph6
Fixed by: https://github.com/faye/websocket-driver-node/commit/5b197ca874dab58e96cacad8a3c256797d804680 (0.7.5)

Search for package or bug name: Reporting problems