89 matches found
CVE-2026-54464 websocket-driver: Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
CVE-2026-54464
The CVE-2026-54464 issue affects the websocket-driver Ruby library. When used with the permessage-deflate extension, WebSocket servers/clients can accept messages larger than the configured maximum because length checks use the compressed data size (frame length headers) instead of the decompress...
websocket-driver: Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
GHSA-33PH-FCCM-39PJ websocket-driver: Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
websocket-driver: Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
PT-2026-60382
Name of the Vulnerable Software and Affected Versions websocket-driver versions prior to 0.7.5 Description When used with the permessage-deflate extension, a WebSocket server or client may accept messages exceeding the configured maximum message size. This occurs because the size limit is validat...
Linux Distros Unpatched Vulnerability : CVE-2026-15709
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in...
PT-2026-60379
Name of the Vulnerable Software and Affected Versions affected versions not specified Description When used with the permessage-deflate extension, a WebSocket server or client may accept messages exceeding the configured maximum size. This occurs because the size limit is validated against the...
CVE-2026-15709
A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via...
CVE-2026-15709 Soupwebsocketextensiondeflate: libsoup: libsoup: websocket permessage-deflate unbounded decompression remote denial of service
A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via...
CVE-2026-15709
The CVE concerns libsoup's WebSocket permessage-deflate implementation. The decompression loop (inflate()) can allocate memory without an upper bound, as output size is not bounded during decompression even though max_incoming_payload_size limits input frames. A separate check for decompressed si...
CVE-2026-15709
A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop inflate processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the permessage-deflate extension. An attacker can cause the application to process messages that exceed the intended resource limits by sending compressed messages that, when...
Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
CVE-2026-39804
A flaw was found in bandit. An unauthenticated attacker who can open a WebSocket connection can exploit a vulnerability when WebSocket permessage-deflate compression is enabled. This flaw allows for memory exhaustion by sending a highly compressed frame that, when decompressed, forces large memor...
EUVD-2026-26711
Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame...
Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame
Summary When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compress: true, an unauthenticated client can OOM the BEAM with a single 6 MiB WebSocket frame. Bandit's inflate step has no output-size cap, so a small high-ratio compressed frame e.g. zeros, 1024:1 ratio...
GHSA-FRH3-6PV6-RC8J Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame
Summary When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compress: true, an unauthenticated client can OOM the BEAM with a single 6 MiB WebSocket frame. Bandit's inflate step has no output-size cap, so a small high-ratio compressed frame e.g. zeros, 1024:1 ratio...
CVE-2026-39804
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...
CVE-2026-39804 WebSocket permessage-deflate inflate has no output-size cap in bandit
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in...