{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:ws_project:ws:*:*:*:*:*:node.js:*:*",
            "extracted_events": [
              {
                "introduced": "1.1.0"
              },
              {
                "fixed": "5.2.5"
              },
              {
                "introduced": "6.0.0"
              },
              {
                "fixed": "6.2.4"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.5.11"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.21.0"
              }
            ],
            "source": [
              "CPE_RANGE",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "4263f26d4dbe27e781c41a1ddfe3dab87dd9e1dc"
            },
            {
              "fixed": "b5372ac67bb97a773727b8e9f5035a8123556d53"
            },
            {
              "introduced": "1ee42fd67d365409096c11af0d6bc70fbe292c60"
            },
            {
              "fixed": "86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
            },
            {
              "introduced": "092a822a41eb22f6d6745c18bc29b9c40715680f"
            },
            {
              "fixed": "fd36cd864fcdf62a08273a99e19a7d975401fee8"
            },
            {
              "introduced": "fc4024898c0da9b587c50a4a2d02d3ff88cddf06"
            },
            {
              "fixed": "bca91adf15677e47dbe4f959653452727be28b94"
            }
          ],
          "repo": "https://github.com/websockets/ws",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-96hv-2xvq-fx4p"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48779.json"
  },
  "details": "ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.",
  "id": "CVE-2026-48779",
  "modified": "2026-07-15T01:48:59.816016673Z",
  "published": "2026-06-16T21:26:22.537Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48779.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26638"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:27171"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:29197"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33155"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33160"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33163"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33173"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33183"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33574"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:34342"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36754"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36820"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:37272"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-48779"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48779.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
    },
    {
      "type": "FIX",
      "url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
    },
    {
      "type": "FIX",
      "url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
    },
    {
      "type": "FIX",
      "url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
    },
    {
      "type": "FIX",
      "url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ws: Memory exhaustion DoS from tiny fragments and data chunks"
}