Intel

AIKIDO-2026-677195

websocket-driver is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)GHSA-2x63-gw47-w4mm Published Yesterday

89

High Risk

This Affects:

RUBYwebsocket-driver
0.0.1 - 0.8.1
Fixed in 0.8.2
Are you affected? Scan for Free

TL;DR

The Server driver, created via WebSocket::Driver.server(), parses the incoming HTTP Host header into server name and port using URI parsing while completing the request. A client can send a malformed Host header that is not a valid host[:port] value, which raises an uncaught URI::InvalidURIError. Before the fix this exception propagates out of the request parser and can crash the server process, causing a denial of service when the application does not itself rescue the error. The fix makes the request parser rescue URI::InvalidURIError and put the request into an error state so the connection is treated as invalid instead of raising.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and are using the Server driver created via WebSocket::Driver.server().

Background info

websocket-driver is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 0.8.1.

How to fix this

Upgrade the websocket-driver library to the patch version.