Skip to content

fix: update websocket-driver to 0.8.2 (security audit)#2695

Merged
mroderick merged 1 commit into
masterfrom
fix/websocket-driver-cve
Jul 9, 2026
Merged

fix: update websocket-driver to 0.8.2 (security audit)#2695
mroderick merged 1 commit into
masterfrom
fix/websocket-driver-cve

Conversation

@mroderick

Copy link
Copy Markdown
Collaborator

Problem

Security audit failing with 4 CVEs in websocket-driver 0.8.0:

CVE / GHSA Issue Fixed in
CVE-2026-54464 / GHSA-33ph-fccm-39pj Resource limit bypass via compression ≥0.8.1
CVE-2026-54467 / GHSA-8j3g-f24p-4mpw Memory exhaustion in HTTP header parser ≥0.8.2
CVE-2026-54468 Unspecified DoS ≥0.8.1
(unnamed) Memory exhaustion in WebSocket frame parser ≥0.8.1

Change

bundle update websocket-driver --conservative — only the version and checksum changed in Gemfile.lock. No code changes, no dependency additions.

Verification

  • bundle exec rspec passes
  • bundler-audit (security audit) now passes

…CVE-2026-54468, GHSA-8j3g-f24p-4mpw)

Patches 4 CVEs in websocket-driver < 0.8.1/0.8.2: resource limit bypass,
memory exhaustion in HTTP header parser, and unspecified denial-of-service.
@mroderick mroderick marked this pull request as ready for review July 9, 2026 07:30
@mroderick mroderick enabled auto-merge July 9, 2026 07:31
@mroderick mroderick requested a review from olleolleolle July 9, 2026 07:31
@mroderick mroderick merged commit 9613002 into master Jul 9, 2026
16 of 17 checks passed
@mroderick mroderick deleted the fix/websocket-driver-cve branch July 9, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants