Description
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
Published: 2026-05-15
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An uninitialized memory disclosure exists in the ws library’s websocket.close() routine when a TypedArray is supplied as the reason parameter. The flaw stems from improper handling of typed array buffers, allowing an attacker to read portions of memory that were not explicitly initialized. As a result, confidential data such as cryptographic keys, credentials, or other sensitive information may be exposed through the node process. The weakness aligns with CWE‑908, which denotes uninitialized data usage.

Affected Systems

Websockets:ws, the open‑source WebSocket client and server for Node.js, is affected. Versions earlier than 8.20.1 are vulnerable, including 8.19.x and any prior releases. Any project that imports or requires the ws module and employs the close() method with a TypedArray argument is susceptible. The issue is confined to the library itself and does not propagate to the underlying Node.js runtime outside of the application scope.

Risk and Exploitability

The CVSS score of 4.4 indicates a medium severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited current exploitation activity. Nonetheless, the exposure is local to the running Node.js process, so the attack requires access to the process internal memory or an attacker who can influence the code path that invokes the vulnerable function. The potential impact is data leakage rather than full compromise.

Generated by OpenCVE AI on May 15, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ws 8.20.1 or later, which sanitizes the TypedArray input.
  • Refactor any websocket.close calls that supply a TypedArray, replacing the argument with a string, null, or another safe type and enforce input validation to reject TypedArrays.
  • If an upgrade or refactor is not immediately possible, run the application in a restricted environment that limits process memory visibility and monitor for anomalous memory access patterns as a temporary mitigation.

Generated by OpenCVE AI on May 15, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Websockets
Websockets ws
Vendors & Products Websockets
Websockets ws

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
Title ws: Uninitialized memory disclosure
Weaknesses CWE-908
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Websockets Ws
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T01:09:15.903Z

Reserved: 2026-05-13T06:54:34.219Z

Link: CVE-2026-45736

cve-icon Vulnrichment

Updated: 2026-05-16T01:09:07.921Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:54.103

Modified: 2026-05-16T02:16:15.273

Link: CVE-2026-45736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T16:30:03Z

Weaknesses