Skip to content
Threat Feed
medium advisory

Message Corruption Vulnerability in websocket-driver Library (CVE-2026-54466)

A critical vulnerability, CVE-2026-54466, in the `websocket-driver` npm library allows remote attackers to cause message corruption by sending specially crafted WebSocket frames that exploit improper handling of the protocol's length header, leading to incorrect parsing of subsequent payload data.

A critical vulnerability, tracked as CVE-2026-54466, has been identified in the websocket-driver npm package, affecting versions prior to 0.7.5. This flaw stems from an issue in how the library parses the length header in draft versions of the WebSocket protocol. An attacker can craft a malicious WebSocket frame containing an indefinitely long sequence of bytes (0x80 or above) in the length header field. This forces the server-side websocket-driver to attempt parsing an ever-growing integer for the message length. As JavaScript numbers are 64-bit floating-point values, this process eventually leads to a loss of precision, causing the subsequent WebSocket payload to be parsed incorrectly. This message corruption can disrupt application functionality, lead to data integrity issues, or potentially facilitate further attacks by misinterpreting critical message content. All users are advised to upgrade to version 0.7.5 or later to mitigate this risk.

Attack Chain

  1. An attacker crafts a WebSocket frame designed to exploit the length header parsing vulnerability.
  2. The attacker sends this malicious WebSocket frame to a server running an application that uses the vulnerable websocket-driver library (version < 0.7.5).
  3. The crafted frame includes an indefinite sequence of bytes (values 0x80 or above) in the WebSocket protocol's length header field.
  4. The server-side websocket-driver attempts to parse this extended length header into an integer.
  5. Due to the arbitrary size of the crafted length header and the limitations of JavaScript's 64-bit floating-point number representation, the integer value loses precision.
  6. This precision loss results in the websocket-driver incorrectly calculating the actual length of the subsequent payload data.
  7. The application processes the payload based on this corrupted length, leading to message corruption and misinterpretation of data.

Impact

The successful exploitation of CVE-2026-54466 can lead to severe message corruption within applications utilizing the vulnerable websocket-driver library. This corruption can manifest as data integrity issues, application instability, denial of service, or unpredictable behavior. Depending on the criticality of the data exchanged over WebSocket, attackers could potentially manipulate application state or bypass security controls by causing a misinterpretation of commands or sensitive information. While specific victim counts or targeted sectors are not detailed, any application relying on an unpatched websocket-driver version is susceptible. There are no known workarounds for this issue, making patching essential.

Recommendation

  • Patch CVE-2026-54466 by upgrading the websocket-driver npm package to version 0.7.5 or later immediately.