logo

Database

Sensitive information sent insecurely In node-ws

Description

ws: Uninitialized memory disclosure

Impact

The websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.

Proof of concept

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {...

Patches

The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086).

Credits

Credit for the private and responsible disclosure of this issue goes to Nikita Skovoroda.

Remarks

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Resources

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-457362. NVD-2026-457363. OSV-DEBIAN-2026-457364. OSV-2026-457365. GHSA-58qx-3vcg-4xpx6. GCVE-2026-457367. SECURITY-TRACKER-CVE-2026-45736

References

1. https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx2. https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.