Remote Memory Disclosure in ws

Severity:: Low

Description

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server.

Recommendation

Update the ws package to the latest compatible version. Followings are version details:

Affected version(s): < 1.0.1
Patched version(s): 1.0.1

References

GHSA-2mhh-w6q8-5hxw
www.npmjs.com
CVE-2016-10518
CWE-201
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

lobe-chat has an Open Redirect - CVE-2025-59426
Cross-site Scripting in ZenUML - CVE-2024-38527
Cross-site Scripting in cesium - CVE-2023-48094
Command Injection in node-rules - Vulnerability

Tags:: npm; ws

Anything's wrong? Let us know Last updated on September 18, 2023