Bug 2489661 (CVE-2026-48779)

Summary: CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, alcohan, alizardo, anpicker, anthomas, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, bparees, brasmith, bstansbe, cdrage, cmah, cochase, dbruscin, dkeler, dkuc, dlofthou, doconnor, dranck, drichtar, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gotiwari, gparvin, hasun, ibolton, istudens, ivassile, iweiss, janstey, jbalunas, jchui, jfula, jhe, jhorak, jkoehler, jlanda, jmatthew, jmontleo, jolong, jowilson, jpasqual, jraez, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lphiri, manissin, mcarlett, mhulan, mosmerov, mposolda, mpospisi, mstipich, msvehla, mvyas, nboldt, ngough, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, orabin, oramraz, osousa, pahickey, parichar, pberan, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rmartinc, rstancel, rstepani, rushinde, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthirugn, sthorger, stirabos, suppawar, syedriko, tasato, tcunning, teagle, thason, thjenkin, tmalecek, ttakamiy, vdosoudi, veshanka, vmuzikar, watson-tool-maintainers, xdharmai, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-06-17 15:14:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2489664, 2489665, 2489666, 2489668, 2489672, 2489673, 2489674, 2489675, 2489677, 2489679, 2489681, 2489682, 2489684, 2489688, 2489689, 2489691, 2489692, 2489693, 2489695, 2489696, 2489697, 2489667, 2489669, 2489671, 2489676, 2489678, 2489680, 2489683, 2489685, 2489686, 2489687, 2489690, 2489694, 2489698    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-16 22:01:48 UTC
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Comment 3 Michal Pospisil 2026-06-17 15:14:31 UTC
There is no impact of this CVE on pcs-web-ui installations in production. The vulnerable library (ws) is not included in the production bundle. It a transitive dependency of development tooling (react-scripts → jsdom). The application source code does not import ws.