Denial of service via malformed Host header
Published: June 23, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-2x63-gw47-w4mm
- Vendor Advisory: https://github.com/faye/websocket-driver-ruby/security/advisories/GHSA-2x63-gw47-w4mm
GEM
PATCHED VERSIONS
>= 0.8.2
DESCRIPTION
Impact
If this library is used to implement a WebSocket server on top of a TCP server, by using the WebSocket::Driver.server() method, then a client can cause the server to crash by sending a Host header that is not a valid host[:port] string. When this happens, a URI::InvalidURIError exception is raised which is not caught, and this can cause the server process to crash if the application does not catch the error from the parse() method itself.
Acknowledgements
This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.
