Description
The websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.
Recommendation
Update the ws package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.0.0, < 8.20.1
- Patched version(s): 8.20.1
References
Related Issues
- Remote Memory Disclosure in ws - CVE-2016-10518
- devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
- LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
- Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse - CVE-2026-22774
You might also like:
- Tags:
- npm
- ws
Anything's wrong? Let us know Last updated on May 18, 2026