CVE-2022-39386

Name: CVE-2022-39386
Creator: NVD / NIST
Published: 2022-11-08T22:15:15.953+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.73%

Last modified Jun 17, 2026

CVE-2022-39386 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. @fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. EPSS estimates a 0.73% chance of exploitation in the next 30 days.

Description

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). There are currently no known workarounds. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.73%

49.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-248

Affected Software

Vendor	Product	Versions
Fastify	Websocket	>= 6.0.0, < 7.1.1
Fastify	Websocket	5.0.0

References

https://github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cqThird Party Advisory
https://github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cqThird Party Advisory

Timeline

Published: Nov 8, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-39386?

How severe is CVE-2022-39386?

CVE-2022-39386 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.73% probability of exploitation in the next 30 days.

How do I fix CVE-2022-39386?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-39386?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST