Skip to content

fix(security): bump ws to 8.21.0 — CVE-2026-48779 (AXE-3768)#258

Open
sunny-se wants to merge 1 commit into
mainfrom
AXE-3768-ws-bump
Open

fix(security): bump ws to 8.21.0 — CVE-2026-48779 (AXE-3768)#258
sunny-se wants to merge 1 commit into
mainfrom
AXE-3768-ws-bump

Conversation

@sunny-se

Copy link
Copy Markdown
Collaborator

Summary

Fixes the open ws memory-exhaustion DoS vulnerability (CVE-2026-48779, CVSS 7.5 HIGH) in axe-core.

Ticket Advisory Package Fix
AXE-3768 GHSA-96hv-2xvq-fx4p (CVSS 7.5) ws (transitive via engine.io, socket.io-adapter) 8.17.1/8.18.3 → 8.21.0 (override)

Sibling PR

  • AXE-3759 (ws in a11y-engine) → browserstack/a11y-engine#2602

Approach

Added "ws": ">=8.21.0" to overrides in package.json. All 3 ws copies (engine.io 8.17.1, socket.io-adapter 8.17.1, root 8.18.3) collapse to single 8.21.0.

Backward compatibility

ws 8.21.0 is a minor bump within 8.x — same API. Fix adds maxBufferedChunks/maxFragments options. No breaking changes for engine.io/socket.io usage.

Validation

  • npm install --package-lock-only --force clean.
  • All ws copies resolve to 8.21.0 (verified via lockfile parse).

Testing

  • CI green
  • axe-core build passes

🤖 Generated with Claude Code

Fix CVE-2026-48779 (GHSA-96hv-2xvq-fx4p) — ws memory exhaustion DoS
via tiny WebSocket fragments. CVSS 7.5 (HIGH).

ws is transitive (via engine.io, socket.io-adapter). Override collapses
all copies (8.17.1, 8.18.3) to 8.21.0. Backward compatible — same
major version, basic WebSocket API unchanged.
@sunny-se

Copy link
Copy Markdown
Collaborator Author

RUN_SCA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants