Skip to content
Threat Feed
low advisory

CVE-2026-62389 - ws Library Memory Exhaustion Vulnerability

A memory exhaustion vulnerability, CVE-2026-62389, exists in the 'ws' WebSocket library versions prior to 8.21.1, allowing attackers to exhaust server memory via incomplete fragmented WebSocket messages and cause denial of service.

CVE-2026-62389 details a memory exhaustion vulnerability in the popular ws WebSocket library, specifically within its lib/receiver.js component, affecting versions prior to 8.21.1. This flaw allows a remote attacker to trigger a denial of service (DoS) condition on a server utilizing the vulnerable library. The vulnerability stems from an insufficient fragment guard that only activates when the fragment count reaches maxFragments. Attackers can bypass this by sending a text frame with the FIN=0 flag, followed by subsequent continuation frames, without ever sending a final FIN=1 frame to complete the WebSocket message. Each incomplete fragment is stored as a separate Buffer object with significant overhead, leading to rapid heap exhaustion and ultimately causing the target application to become unresponsive or crash. This vulnerability poses a direct threat to the availability of applications dependent on the ws library for WebSocket communication.

Attack Chain

  1. Attacker Establishes WebSocket Connection: An attacker initiates a standard WebSocket connection to a target server running an application that uses the vulnerable ws library.
  2. Initial Incomplete Frame Transmission: The attacker sends a WebSocket text frame with the FIN (Fragment Final) bit explicitly set to 0, signaling that this is the first part of a fragmented message.
  3. Subsequent Fragment Pushing: The attacker continues to send additional WebSocket continuation frames, each representing another fragment of the incomplete message.
  4. Omission of Final Frame: Crucially, the attacker intentionally avoids sending a final frame with the FIN bit set to 1, ensuring the fragmented message remains incomplete.
  5. Memory Allocation and Accumulation: Due to the flaw in lib/receiver.js, the ws library stores each of these incomplete fragments as a distinct Buffer object in memory, bypassing the maxFragments guard because no single message ever completes.
  6. Heap Exhaustion: The attacker repeats this sequence of incomplete fragmented message transmissions, rapidly consuming available server memory by forcing the accumulation of numerous unreleased Buffer objects.
  7. Denial of Service: The server's application memory (heap) becomes fully exhausted, leading to the application freezing, crashing, or becoming unresponsive, effectively causing a denial of service.

Impact

Successful exploitation of CVE-2026-62389 results in a denial of service (DoS) for applications or services that rely on the vulnerable ws WebSocket library. The primary impact is the unavailability of the affected service due to memory exhaustion, which can lead to application crashes or unresponsiveness. While specific victim counts are not provided, any unpatched server-side application using ws versions older than 8.21.1 is susceptible. The vulnerability does not directly lead to data compromise or arbitrary code execution but can severely disrupt business operations by taking critical services offline.

Recommendation

  • Patch CVE-2026-62389 immediately by upgrading the ws library to version 8.21.1 or newer on all affected systems to mitigate the memory exhaustion vulnerability.