Description
The websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.0.0, < 8.20.1
- Patched version(s): 8.20.1
References
Related Issues
- Remote Memory Disclosure in ws - CVE-2016-10518
- ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictio - CVE-2026-39857
- Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
- Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - CVE-2026-1526
You might also like:
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on May 18, 2026


