Lucene search
+L

79 matches found

nvd
nvd
added 2 days ago4 views

CVE-2026-15709

A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via...

7.5CVSS0.00548EPSS
Exploits0References3
cve
cve
added 2 days ago8 views

CVE-2026-15709

The CVE concerns libsoup's WebSocket permessage-deflate implementation. The decompression loop (inflate()) can allocate memory without an upper bound, as output size is not bounded during decompression even though max_incoming_payload_size limits input frames. A separate check for decompressed si...

7.5CVSS6.1AI score0.00548EPSS
Exploits0References3
cvelist
cvelist
added 2 days ago32 views

CVE-2026-15709 Soupwebsocketextensiondeflate: libsoup: libsoup: websocket permessage-deflate unbounded decompression remote denial of service

A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via...

7.5CVSS0.00548EPSS
Exploits0References3
redhatcve
redhatcve
added 2 days ago6 views

CVE-2026-15709

A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via...

7.5CVSS6.1AI score0.00548EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/05/13 2:21 p.m.12 views

CVE-2026-39804

A flaw was found in bandit. An unauthenticated attacker who can open a WebSocket connection can exploit a vulnerability when WebSocket permessage-deflate compression is enabled. This flaw allows for memory exhaustion by sending a highly compressed frame that, when decompressed, forces large memor...

8.2CVSS5.7AI score0.00625EPSS
Exploits0References7
euvd
euvd
added 2026/05/07 3:36 a.m.5 views

EUVD-2026-26711

Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame...

8.2CVSS5.8AI score0.00625EPSS
Exploits0References5
osv
osv
added 2026/05/07 3:36 a.m.6 views

GHSA-FRH3-6PV6-RC8J Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame

Summary When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compress: true, an unauthenticated client can OOM the BEAM with a single 6 MiB WebSocket frame. Bandit's inflate step has no output-size cap, so a small high-ratio compressed frame e.g. zeros, 1024:1 ratio...

8.2CVSS5.9AI score0.00625EPSS
Exploits0References6
github
github
added 2026/05/07 3:36 a.m.15 views

Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame

Summary When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compress: true, an unauthenticated client can OOM the BEAM with a single 6 MiB WebSocket frame. Bandit's inflate step has no output-size cap, so a small high-ratio compressed frame e.g. zeros, 1024:1 ratio...

8.2CVSS5.9AI score0.00625EPSS
Exploits0References6Affected Software1
nvd
nvd
added 2026/05/01 9:16 p.m.10 views

CVE-2026-39804

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...

8.2CVSS0.00625EPSS
Exploits0References4
cvelist
cvelist
added 2026/05/01 8:34 p.m.29 views

CVE-2026-39804 WebSocket permessage-deflate inflate has no output-size cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...

8.2CVSS0.00625EPSS
Exploits0References4
osv
osv
added 2026/05/01 8:34 p.m.6 views

EEF-CVE-2026-39804 WebSocket permessage-deflate inflate has no output-size cap in bandit

Summary Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...

8.2CVSS6.2AI score0.00625EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/05/01 8:34 p.m.3 views

CVE-2026-39804

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...

8.2CVSS5.9AI score0.00625EPSS
Exploits0References5Affected Software1
osv
osv
added 2026/05/01 8:34 p.m.3 views

CVE-2026-39804 WebSocket permessage-deflate inflate has no output-size cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...

8.2CVSS6.1AI score0.00625EPSS
Exploits0References9
cve
cve
added 2026/05/01 8:34 p.m.17 views

CVE-2026-39804

The vulnerability CVE-2026-39804 affects Bandit (Elixir) WebSocket permessage-deflate handling. The function Elixir.Bandit.WebSocket.PerMessageDeflate.inflate/2 calls :zlib.inflate/2 without an output size cap and materializes the full decompressed payload into a single binary, while max_frame_si...

8.2CVSS5.9AI score0.00625EPSS
Exploits0References4
cnnvd
cnnvd
added 2026/05/01 12:0 a.m.10 views

Bandit 安全漏洞

Bandit is a high-performance HTTP and WebSocket server from the individual developer Mat Trudel. A security vulnerability exists in Bandit versions 0.5.9 through 1.11.0 and earlier, which stems from an unrestricted resource allocation when WebSocket permessage-deflate compression is enabled, whic...

8.2CVSS5.8AI score0.00625EPSS
Exploits0References1
nessus
nessus
added 2026/04/23 12:0 a.m.79 views

Node.js Module Undici < 6.24.0 / 7.x < 7.24.0 Multiple Vulnerabilities

The nodejs module Undici detected on the host is prior to version 6.24.0 or version 7.x prior to 7.24.0. It is, therefore, affected by multiple vulnerabilities : - A flaw exists due to allowing duplicate HTTP Content-Length headers when provided in an array with case-variant names. An...

9.8CVSS7.8AI score0.0115EPSS
Exploits0References6
nessus
nessus
added 2026/04/15 12:0 a.m.8 views

AlmaLinux 10 : nodejs24 (ALSA-2026:7675)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7675 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

9.8CVSS7AI score0.26356EPSS
Exploits1References20
redhat
redhat
added 2026/04/14 7:23 a.m.5 views

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

7.5CVSS7.1AI score0.00874EPSS
Exploits0References9
redhat
redhat
added 2026/04/14 7:23 a.m.3 views

undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression

A flaw was found in undici. A remote attacker can exploit this vulnerability by sending a specially crafted compressed frame, known as a "decompression bomb," during permessage-deflate decompression. The undici WebSocket client does not properly limit the size of decompressed data, leading to...

7.5CVSS7AI score0.0115EPSS
Exploits0References8
redhat
redhat
added 2026/04/13 3:0 a.m.8 views

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

7.5CVSS7.1AI score0.00874EPSS
Exploits0References9
Rows per page
Query Builder