Skip to content
Verified reproduction

CVE-2026-54466: websocket-driver: message corruption via abuse of draft-WebSocket length headers

CVE-2026-54466 is verified against faye/websocket-driver-node · npm affected versions: < 0.7.5 fixed version: 0.7.5 vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00292.

REPRO-2026-00292 faye/websocket-driver-node · npm RCE Variant found Known vulnerability Jul 16, 2026 CVE entry .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 7m 28s
Tool calls 127
Spend $1.26
Affected < 0.7.5
Fixed in 0.7.5
$ pruva-verify REPRO-2026-00292
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00292/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

CVE-2026-54466 / GHSA-xv26-6w52-cph6: websocket-driver (npm, faye/websocket-driver-node) versions < 0.7.5 mishandle an overlong variable-width length header in the legacy draft-75/draft-76 WebSocket parser. The base-128 length accumulator in _parseLeadingByte() case 1 grows without bound; since JS numbers are 64-bit floats, the declared length eventually loses integer precision, causing the subsequent payload to be misframed. Impact is protocol message corruption / message loss (Integrity High), not RCE or memory exhaustion. CVSS v4 9.2 Critical.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.