ws: Uninitialized memory disclosure — CVE-2026-45736
GitHub · GitHub · CVE-2026-45736
ID
CVE-2026-45736
CVE-2026-45736
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
4.4
4.4
EPSS
0.00009
0.00009
Summary
### Impact The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. ### Proof of concept ```js import { deepStrictEqual } from 'node:assert'; import { WebSocket, WebSocketServer } from 'ws'; const wss = new WebSocketServer( { port: 0, skipUTF8Validation: true }, function () { const { port } = wss.address(); const ws = new…
Product
npm: ws
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.