This page collects WhisperX intelligence signals tagged #WebSocket. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security alert has been raised for the `subscriptions-transport-ws` package, version 0.9.16, which contains two unpatched vulnerabilities in its underlying `ws` dependency. The most severe is a high-severity flaw, CVE-2024-37890, with a CVSS score of 7.5. A second, medium-severity vulnerability, CVE-2021-326...
A critical security flaw in the WebSocket upgrade handlers for voice and direct messaging services allows connections from any origin when a key security configuration is missing. This vulnerability, classified as a HIGH-severity Cross-Site WebSocket Hijacking (CSWSH) risk, enables malicious websites to hijack authenti...
A critical security flaw in the widely used `websocket-extensions` library has been patched, addressing a Regular Expression Denial of Service (ReDoS) vulnerability. The issue, tracked as CVE-2020-7662, was present in the library's header parser and could have allowed an attacker to cause a denial of service by sending...
A critical Regular Expression Denial of Service (ReDoS) vulnerability has been patched in the widely used 'ws' Node.js WebSocket library. The flaw, tracked in the GitHub Security Advisory Database, allows a maliciously crafted `Sec-Websocket-Protocol` header to significantly degrade server performance, potentially lead...
A critical Regular Expression Denial of Service (ReDoS) vulnerability has been patched in the popular `ws` WebSocket library for Node.js. The flaw, tracked in the GitHub Security Advisory Database as GHSA-6fc8-4gx4-v693, allows a malicious client to significantly degrade server performance by sending a specially crafte...
A critical security fix for a nonce-reuse vulnerability in a WebSocket encryption system has been left incomplete, leaving production code paths exposed. The vulnerability, which could compromise the security of real-time communications, was identified during a review of a previous pull request. While the cryptographic...
A critical security overhaul of the AIRI Gateway's WebSocket interface has been implemented, shifting the system to a 'Secure by Default' posture to neutralize severe attack vectors. The patch enforces strict zero-trust authentication and connection traceability, directly addressing an open architecture that previously...
A critical security flaw in the Strawberry GraphQL framework allows attackers to bypass authentication on WebSocket subscription endpoints. The vulnerability, tracked as CVE-2026-35523, is present in all versions up to 0.312.2. The core failure lies in the legacy `graphql-ws` subprotocol handler, which processes subscr...
A critical security vulnerability with a high severity score of 7.5 has been identified in the widely-used `ws-3.3.3.tgz` WebSocket library for Node.js. The flaw, categorized as CVE-2021-32640, is a Denial of Service (DoS) vulnerability that allows remote attackers to crash a server by sending a specially crafted Sec-W...
A medium-severity security vulnerability has been identified, exposing the application to cleartext data transmission. Multiple project dependencies are configured to use unencrypted HTTP connections instead of HTTPS, creating a direct channel for man-in-the-middle attacks and data interception. This flaw, classified a...
A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified, allowing unauthorized users to potentially access or modify collaborative canvases (rooms) simply by guessing or altering the slug in the URL. This flaw bypasses intended access controls, exposing sensitive collaborative spaces to dat...
A critical SSRF (Server-Side Request Forgery) bypass vulnerability has been identified in workspace-server's URL validation logic, leaving internal services exposed to potential WebSocket-based attacks. The flaw, catalogued as a P0 severity issue, resides in the isSafeURL function within workspace-server/internal/handl...
A critical security misconfiguration has been identified in the Orbit server codebase, leaving production deployments exposed to Cross-Site WebSocket Hijacking (CSWSH). The vulnerability stems from `InsecureSkipVerify: true` being set on the WebSocket `Accept` call in `cmd/server/main.go`, which disables origin validat...
A critical denial-of-service vulnerability in CryptPad versions through 2025.3.1 enables remote, unauthenticated attackers to flood WebSocket connections and degrade or deny service for all users of an affected instance. Tracked as CVE-2025-51846 with a CVSS score of 7.5 (High), the flaw carries significant availabilit...
A critical security flaw has been identified in the WebSocket gateway module responsible for session reconnection handling. The vulnerability exists in `internal/gateway/conn.go`, which manages the AEP init handshake for WebSocket connections. During session reconnection, when a client provides an existing `session_id`...