- Package:
- src:node-ws
- Source:
- src:node-ws
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-20 14:37:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for node-ws. CVE-2026-48779[0]: | ws is an open source WebSocket client and server for Node.js. All | versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up | to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are | affected by a memory exhaustion DoS vulnerability. A peer can send a | high volume of exceptionally small fragments and data chunks, with | modest network traffic, to force the remote peer into allocating and | holding structural wrappers that consume far more memory than the | default documented message-size limit, leading to process | termination due to OOM. This issue has been fixed in versions 5.2.5, | 6.2.4, 7.5.11, and 8.21.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48779 https://www.cve.org/CVERecord?id=CVE-2026-48779 [1] https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1140429 in node-ws reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-ws/-/commit/23a8bab9dcdeb577aaba7a2bbd50819df7f6a71d (this message was generated automatically) -- Greetings https://bugs.debian.org/1140429
Hello, Bug #1140429 in node-ws reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-ws/-/commit/23a8bab9dcdeb577aaba7a2bbd50819df7f6a71d (this message was generated automatically) -- Greetings https://bugs.debian.org/1140429
We believe that the bug you reported is fixed in the latest version of node-ws, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1140429@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated node-ws package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sat, 20 Jun 2026 12:05:12 +0200 Source: node-ws Architecture: source Version: 8.21.0+~cs14.19.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 1140429 Changes: node-ws (8.21.0+~cs14.19.1-1) unstable; urgency=medium . * Team upload * New upstream version (Closes: #1140429, CVE-2026-48779) Checksums-Sha1: 27a3158e3d375b125183637c75ff1b4e9ee85bb3 2925 node-ws_8.21.0+~cs14.19.1-1.dsc 48464e4bf2ddfd17db13d845467f6070ffea4aa9 6013 node-ws_8.21.0+~cs14.19.1.orig-types-ws.tar.gz 4e0d6933802ccb18f663fd109c9e93a035859add 5016 node-ws_8.21.0+~cs14.19.1.orig-wscat.tar.gz 2e1bc02c0d0864d905acb5c42fb4604937e29003 88489 node-ws_8.21.0+~cs14.19.1.orig.tar.gz 6ce017477fce757e4caa90833493ac379dd57943 5412 node-ws_8.21.0+~cs14.19.1-1.debian.tar.xz Checksums-Sha256: 68aabda52c07c190c45bd33c5eca11a1ba9011c94f5192932c96bd232a222a2c 2925 node-ws_8.21.0+~cs14.19.1-1.dsc dc2763952a24bf15dc920830a2d2884c23bccc08a853e8556e34771401254fa5 6013 node-ws_8.21.0+~cs14.19.1.orig-types-ws.tar.gz a779225d92fcceade8db9831b0f9f0830b2b20216e79f5fd303941817a267fe4 5016 node-ws_8.21.0+~cs14.19.1.orig-wscat.tar.gz 1f833d210c2630d66599bc903ce830d3432b12647c6403af92418b4be79e1cb8 88489 node-ws_8.21.0+~cs14.19.1.orig.tar.gz efbe396e86e6cbab680f8e750696bad6b33f4f4c25875117792fc44350c68387 5412 node-ws_8.21.0+~cs14.19.1-1.debian.tar.xz Files: cca5cce6a55e8b1676f5db6f51716188 2925 javascript optional node-ws_8.21.0+~cs14.19.1-1.dsc b36d8736035a3f5c7b2fb62b2fbeca1a 6013 javascript optional node-ws_8.21.0+~cs14.19.1.orig-types-ws.tar.gz 1ffc9b580c625f627939368a5c535c8a 5016 javascript optional node-ws_8.21.0+~cs14.19.1.orig-wscat.tar.gz 2d40bde8c611da28258a8f9fb8a209b6 88489 javascript optional node-ws_8.21.0+~cs14.19.1.orig.tar.gz fd586b537b57b27b6ad60cda91d692cb 5412 javascript optional node-ws_8.21.0+~cs14.19.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo2nHMACgkQ9tdMp8mZ 7ukeQw/+MYYwyDAxR45iDoBMmUfvlEadjKf4lDp2vZG+q42S52bNKC7fT3DWXE+i 428C8lW63lTY3zEo4zUhK+C27GjkcuO4DDyXj4KAiEGLxK2FAb15Ak7uo8bF74Kd Q/PasSFUOx4f+BPUMKU7qez2gr3iwpWPr5aNi+HpF6/s9M3Vj7kHV2mHdA/4V6UK POGzMcnuOqe5202/hfnIi2zs6yXdsloSQR0ByLPesZPQNkILjSID5WBFDwIoAsZz 0hc1ye2qhwpLzEvkgEQrpH05oH+t0AYuJeJ6yuqpiN3u+WlB2fNxLYM/4R9PeI3B BCGHR+BX7wuCKzMKSvxmz8h1CiiPLOaw+sRFNUN+5rK6klGEVFlo4hcwHylrDIb1 N86ButnV61YoeSxnWGA/s3Y6lg0TqAWnr50KxNNP8BkcjEFTrqakUtzqVzkfYAQd G6rRETGrbauZNslmotJV0J7yajQAF2Cr5ybG8JNtMYyxEMxGxMhEdmNlDyanzXtD uG4ziusiT8RiowQebKUbNaJPdVH7gcWgvucKTQYtk7u6rggez7zHvRrM5Mzb2f5f 7B4LmwMUCnAp2GTk2R44fi+LCTXNSafI38mlfVNadlsl2JGIhX48Vi4iBgq41n5D iCWyjfp9Iwnnq92q+IXem+3qQ9VhuQ9+7LUsVY1cZaqa4GsZSbc= =nRte -----END PGP SIGNATURE-----