CVE-2026-45736

Description

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ws < 8.20.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const WebSocket = require('ws');

// Vulnerable Server setup
const wss = new WebSocket.Server({ port: 8080 });

wss.on('connection', ws => {
  // Simulate a scenario where data is prepared in a TypedArray
  // and passed as a reason to close().
  // In vulnerable versions (< 8.20.1), this may leak uninitialized memory.
  const reasonBuffer = new Uint8Array([0x03, 0xe8]); // Normal close code bytes
  
  // Note: The vulnerability specifically triggers when the implementation
  // fails to handle the TypedArray correctly, reading beyond intended bounds.
  ws.close(1000, reasonBuffer);
});

console.log('Server running on port 8080');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45736
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45736
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45736/
[4] VulDB https://vuldb.com/cve/CVE-2026-45736
[5] https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086
[6] https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx
[7] https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45736", "sourceIdentifier": "[email protected]", "published": "2026-05-15T15:16:54.103", "lastModified": "2026-05-16T02:16:15.273", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.7, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "references": [{"url": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086", "source": "[email protected]"}, {"url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx", "source": "[email protected]"}, {"url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}