<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ws (Before 8.21.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ws-before-8.21.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 18:26:41 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ws-before-8.21.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-62389 - ws Library Memory Exhaustion Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62389-ws-memory-exhaustion/</link><pubDate>Wed, 15 Jul 2026 18:26:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62389-ws-memory-exhaustion/</guid><description>A memory exhaustion vulnerability, CVE-2026-62389, exists in the 'ws' WebSocket library versions prior to 8.21.1, allowing attackers to exhaust server memory via incomplete fragmented WebSocket messages and cause denial of service.</description><content:encoded><![CDATA[<p>CVE-2026-62389 details a memory exhaustion vulnerability in the popular <code>ws</code> WebSocket library, specifically within its <code>lib/receiver.js</code> component, affecting versions prior to 8.21.1. This flaw allows a remote attacker to trigger a denial of service (DoS) condition on a server utilizing the vulnerable library. The vulnerability stems from an insufficient fragment guard that only activates when the fragment count reaches <code>maxFragments</code>. Attackers can bypass this by sending a text frame with the <code>FIN=0</code> flag, followed by subsequent continuation frames, without ever sending a final <code>FIN=1</code> frame to complete the WebSocket message. Each incomplete fragment is stored as a separate <code>Buffer</code> object with significant overhead, leading to rapid heap exhaustion and ultimately causing the target application to become unresponsive or crash. This vulnerability poses a direct threat to the availability of applications dependent on the <code>ws</code> library for WebSocket communication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker Establishes WebSocket Connection:</strong> An attacker initiates a standard WebSocket connection to a target server running an application that uses the vulnerable <code>ws</code> library.</li>
<li><strong>Initial Incomplete Frame Transmission:</strong> The attacker sends a WebSocket text frame with the <code>FIN</code> (Fragment Final) bit explicitly set to <code>0</code>, signaling that this is the first part of a fragmented message.</li>
<li><strong>Subsequent Fragment Pushing:</strong> The attacker continues to send additional WebSocket continuation frames, each representing another fragment of the incomplete message.</li>
<li><strong>Omission of Final Frame:</strong> Crucially, the attacker intentionally avoids sending a final frame with the <code>FIN</code> bit set to <code>1</code>, ensuring the fragmented message remains incomplete.</li>
<li><strong>Memory Allocation and Accumulation:</strong> Due to the flaw in <code>lib/receiver.js</code>, the <code>ws</code> library stores each of these incomplete fragments as a distinct <code>Buffer</code> object in memory, bypassing the <code>maxFragments</code> guard because no single message ever completes.</li>
<li><strong>Heap Exhaustion:</strong> The attacker repeats this sequence of incomplete fragmented message transmissions, rapidly consuming available server memory by forcing the accumulation of numerous unreleased <code>Buffer</code> objects.</li>
<li><strong>Denial of Service:</strong> The server's application memory (heap) becomes fully exhausted, leading to the application freezing, crashing, or becoming unresponsive, effectively causing a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-62389 results in a denial of service (DoS) for applications or services that rely on the vulnerable <code>ws</code> WebSocket library. The primary impact is the unavailability of the affected service due to memory exhaustion, which can lead to application crashes or unresponsiveness. While specific victim counts are not provided, any unpatched server-side application using <code>ws</code> versions older than 8.21.1 is susceptible. The vulnerability does not directly lead to data compromise or arbitrary code execution but can severely disrupt business operations by taking critical services offline.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-62389 immediately</strong> by upgrading the <code>ws</code> library to version 8.21.1 or newer on all affected systems to mitigate the memory exhaustion vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>network</category><category>denial-of-service</category><category>vulnerability</category><category>websocket</category></item></channel></rss>