ws
Moderate fix1 remedy
cpe:2.3:a:ws_project:ws:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- >= 8.0.0, < 8.20.1
ws Uninitialized Memory Disclosure Vulnerability in WebSocket Close Implementation
Vulnerability
Patched
A vulnerability allowing uninitialized memory disclosure has been identified in the 'ws' WebSocket client and server for Node.js, affecting versions 8.0.0 prior to 8.20.1. The issue arises in the 'websocket.close()' method when a TypedArray is passed as the reason argument. The function fails to properly sanitize the memory buffer, leading to the potential leakage of sensitive information to the remote peer.
Impact
Exploitation of this vulnerability could result in the unauthorized disclosure of uninitialized memory, potentially leaking sensitive data to the remote peer.
Reproduction
The vulnerability can be reproduced by creating a WebSocket server using the 'ws' library and a client that connects to it. When the client sends a close request with a Float32Array as the reason, the server can access the uninitialized memory through the close event, demonstrating the memory disclosure.
Remediation
Users can upgrade to 'ws' version 8.20.1 or later to address this vulnerability.
Added: May 15, 2026, 3:21 PM
Updated: May 15, 2026, 3:21 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
0.6exploitability
6.6remediation
7.7relevance
8.4threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.