Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-54464

Gravedad CVSS v4.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026

Descripción

*** Pendiente de traducción *** ### Impact<br /> <br /> If this library is used in tandem with the `permessage-deflate` extension, a<br /> WebSocket server or client can be made to accept messages that are larger than<br /> the configured maximum message size. This is because this limit is checked<br /> against the message frames&amp;#39; length headers, which give the size of the<br /> compressed data, not the size after decompression. This can lead to applications<br /> accepting larger messages than expected and exceeding their intended resource<br /> usage.<br /> <br /> ### Patches<br /> <br /> The issue has been patched in version 0.8.1, by checking the length of messages<br /> after they are processed by incoming extensions. All users should upgrade to<br /> this version.<br /> <br /> ### Workarounds<br /> <br /> No known workarounds exist.<br /> <br /> ### Acknowledgements<br /> <br /> This issue was discovered and reported by Pranjali Thakur, DepthFirst Security<br /> Research Team.