{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/ws/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-62389"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ws (before 8.21.1)"],"_cs_severities":["low"],"_cs_tags":["network","denial-of-service","vulnerability","websocket"],"_cs_type":"advisory","_cs_vendors":["ws"],"content_html":"\u003cp\u003eCVE-2026-62389 details a memory exhaustion vulnerability in the popular \u003ccode\u003ews\u003c/code\u003e WebSocket library, specifically within its \u003ccode\u003elib/receiver.js\u003c/code\u003e component, affecting versions prior to 8.21.1. This flaw allows a remote attacker to trigger a denial of service (DoS) condition on a server utilizing the vulnerable library. The vulnerability stems from an insufficient fragment guard that only activates when the fragment count reaches \u003ccode\u003emaxFragments\u003c/code\u003e. Attackers can bypass this by sending a text frame with the \u003ccode\u003eFIN=0\u003c/code\u003e flag, followed by subsequent continuation frames, without ever sending a final \u003ccode\u003eFIN=1\u003c/code\u003e frame to complete the WebSocket message. Each incomplete fragment is stored as a separate \u003ccode\u003eBuffer\u003c/code\u003e object with significant overhead, leading to rapid heap exhaustion and ultimately causing the target application to become unresponsive or crash. This vulnerability poses a direct threat to the availability of applications dependent on the \u003ccode\u003ews\u003c/code\u003e library for WebSocket communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Establishes WebSocket Connection:\u003c/strong\u003e An attacker initiates a standard WebSocket connection to a target server running an application that uses the vulnerable \u003ccode\u003ews\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Incomplete Frame Transmission:\u003c/strong\u003e The attacker sends a WebSocket text frame with the \u003ccode\u003eFIN\u003c/code\u003e (Fragment Final) bit explicitly set to \u003ccode\u003e0\u003c/code\u003e, signaling that this is the first part of a fragmented message.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSubsequent Fragment Pushing:\u003c/strong\u003e The attacker continues to send additional WebSocket continuation frames, each representing another fragment of the incomplete message.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOmission of Final Frame:\u003c/strong\u003e Crucially, the attacker intentionally avoids sending a final frame with the \u003ccode\u003eFIN\u003c/code\u003e bit set to \u003ccode\u003e1\u003c/code\u003e, ensuring the fragmented message remains incomplete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMemory Allocation and Accumulation:\u003c/strong\u003e Due to the flaw in \u003ccode\u003elib/receiver.js\u003c/code\u003e, the \u003ccode\u003ews\u003c/code\u003e library stores each of these incomplete fragments as a distinct \u003ccode\u003eBuffer\u003c/code\u003e object in memory, bypassing the \u003ccode\u003emaxFragments\u003c/code\u003e guard because no single message ever completes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHeap Exhaustion:\u003c/strong\u003e The attacker repeats this sequence of incomplete fragmented message transmissions, rapidly consuming available server memory by forcing the accumulation of numerous unreleased \u003ccode\u003eBuffer\u003c/code\u003e objects.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service:\u003c/strong\u003e The server's application memory (heap) becomes fully exhausted, leading to the application freezing, crashing, or becoming unresponsive, effectively causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-62389 results in a denial of service (DoS) for applications or services that rely on the vulnerable \u003ccode\u003ews\u003c/code\u003e WebSocket library. The primary impact is the unavailability of the affected service due to memory exhaustion, which can lead to application crashes or unresponsiveness. While specific victim counts are not provided, any unpatched server-side application using \u003ccode\u003ews\u003c/code\u003e versions older than 8.21.1 is susceptible. The vulnerability does not directly lead to data compromise or arbitrary code execution but can severely disrupt business operations by taking critical services offline.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-62389 immediately\u003c/strong\u003e by upgrading the \u003ccode\u003ews\u003c/code\u003e library to version 8.21.1 or newer on all affected systems to mitigate the memory exhaustion vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:26:41Z","date_published":"2026-07-15T18:26:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62389-ws-memory-exhaustion/","summary":"A memory exhaustion vulnerability, CVE-2026-62389, exists in the 'ws' WebSocket library versions prior to 8.21.1, allowing attackers to exhaust server memory via incomplete fragmented WebSocket messages and cause denial of service.","title":"CVE-2026-62389 - ws Library Memory Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62389-ws-memory-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed - Ws","version":"https://jsonfeed.org/version/1.1"}