Remote Memory Disclosure in ws

Severity:: Low

Description

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server.

Recommendation

Update the ws package to the latest compatible version. Followings are version details:

Affected version(s): < 1.0.1
Patched version(s): 1.0.1

References

GHSA-2mhh-w6q8-5hxw
www.npmjs.com
CVE-2016-10518
CWE-201
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
DoS due to excessively large websocket message in ws - CVE-2016-10542
Denial of Service in jquery - CVE-2016-10707
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended - CVE-2025-54885

Tags:: npm; ws

Anything's wrong? Let us know Last updated on September 18, 2023