Source: node-ws Version: 8.20.1+~cs14.19.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-ws. CVE-2026-48779[0]: | ws is an open source WebSocket client and server for Node.js. All | versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up | to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are | affected by a memory exhaustion DoS vulnerability. A peer can send a | high volume of exceptionally small fragments and data chunks, with | modest network traffic, to force the remote peer into allocating and | holding structural wrappers that consume far more memory than the | default documented message-size limit, leading to process | termination due to OOM. This issue has been fixed in versions 5.2.5, | 6.2.4, 7.5.11, and 8.21.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48779 https://www.cve.org/CVERecord?id=CVE-2026-48779 [1] https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
