GHSA-8j3g-f24p-4mpw
websocket-driver: Memory exhaustion in HTTP header parser
Details
### Impact
If this library is used to implement a WebSocket server on top of a TCP server (rather than an HTTP server or framework) using the `WebSocket::Driver.server()` method, or, if it is used to complement a WebSocket client, then a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory.
### Patches
The issue has been patched in version 0.8.1, by limiting the total size of HTTP request/response lines and headers accepted by the parser to 32 kB. All users should upgrade to this version.
### Workarounds
No known workarounds exist.
### Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-8j3g-f24p-4mpw [WEB]
- https://github.com/faye/websocket-driver-ruby [PACKAGE]
- https://github.com/faye/websocket-driver-ruby/releases/tag/0.8.1 [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/websocket-driver/CVE-2026-54465.yml [WEB]
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54465 [WEB]