CVE-2026-54464
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
### Impact<br />
<br />
If this library is used in tandem with the `permessage-deflate` extension, a<br />
WebSocket server or client can be made to accept messages that are larger than<br />
the configured maximum message size. This is because this limit is checked<br />
against the message frames&#39; length headers, which give the size of the<br />
compressed data, not the size after decompression. This can lead to applications<br />
accepting larger messages than expected and exceeding their intended resource<br />
usage.<br />
<br />
### Patches<br />
<br />
The issue has been patched in version 0.8.1, by checking the length of messages<br />
after they are processed by incoming extensions. All users should upgrade to<br />
this version.<br />
<br />
### Workarounds<br />
<br />
No known workarounds exist.<br />
<br />
### Acknowledgements<br />
<br />
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security<br />
Research Team.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM



