RubySec

Providing security resources for the Ruby community

GHSA-2x63-gw47-w4mm (websocket-driver): Denial of service via malformed Host header

Denial of service via malformed Host header

Published: June 23, 2026

SECURITY IDENTIFIERS

GEM

websocket-driver

PATCHED VERSIONS

>= 0.8.2

DESCRIPTION

Impact

If this library is used to implement a WebSocket server on top of a TCP server, by using the WebSocket::Driver.server() method, then a client can cause the server to crash by sending a Host header that is not a valid host[:port] string. When this happens, a URI::InvalidURIError exception is raised which is not caught, and this can cause the server process to crash if the application does not catch the error from the parse() method itself.

Acknowledgements

This issue was discovered and reported by Pranjali Thakur, DepthFirst Security Research Team.

RELATED