Ws
Monthly
Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.
Uninitialized memory disclosure in the ws WebSocket library for Node.js (versions 8.0.0 through 8.20.0) allows a connected peer to receive leaked process memory when an application calls websocket.close() with a TypedArray as the reason argument. Because the close-frame reason buffer is not zero-initialized, fragments of adjacent heap memory - potentially containing secrets, tokens, or other clients' data - are transmitted over the wire. No public exploit is identified at time of analysis (SSVC lists POC-class maturity but EPSS is only 0.01%), and the issue is fixed in ws 8.20.1.
ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.
Uninitialized memory disclosure in the ws WebSocket library for Node.js (versions 8.0.0 through 8.20.0) allows a connected peer to receive leaked process memory when an application calls websocket.close() with a TypedArray as the reason argument. Because the close-frame reason buffer is not zero-initialized, fragments of adjacent heap memory - potentially containing secrets, tokens, or other clients' data - are transmitted over the wire. No public exploit is identified at time of analysis (SSVC lists POC-class maturity but EPSS is only 0.01%), and the issue is fixed in ws 8.20.1.
ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.