Description
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx
X_Refsource_Misc x_refsource_misc
https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086
Scores
CVSS v3
4.4
EPSS
0.0001
EPSS Percentile
1.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-908
Status
published
Products (3)
npm/ws
8.0.0 - 8.20.1npm
websockets/ws
>= 8.0.0, < 8.20.1
ws_project/ws
8.0.0 - 8.20.1
Published
May 15, 2026
Tracked Since
May 15, 2026