Skip to main content

Ws

3 CVEs product

Monthly

CVE-2026-62389 HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-45736 npm HIGH PATCH GHSA This Week

Uninitialized memory disclosure in the ws WebSocket library for Node.js (versions 8.0.0 through 8.20.0) allows a connected peer to receive leaked process memory when an application calls websocket.close() with a TypedArray as the reason argument. Because the close-frame reason buffer is not zero-initialized, fragments of adjacent heap memory - potentially containing secrets, tokens, or other clients' data - are transmitted over the wire. No public exploit is identified at time of analysis (SSVC lists POC-class maturity but EPSS is only 0.01%), and the issue is fixed in ws 8.20.1.

Node.js Information Disclosure Ws
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2021-32640 npm MEDIUM POC PATCH This Month

ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Ws E Series Performance Analyzer
NVD GitHub
CVSS 3.1
5.3
EPSS
2.8%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uninitialized memory disclosure in the ws WebSocket library for Node.js (versions 8.0.0 through 8.20.0) allows a connected peer to receive leaked process memory when an application calls websocket.close() with a TypedArray as the reason argument. Because the close-frame reason buffer is not zero-initialized, fragments of adjacent heap memory - potentially containing secrets, tokens, or other clients' data - are transmitted over the wire. No public exploit is identified at time of analysis (SSVC lists POC-class maturity but EPSS is only 0.01%), and the issue is fixed in ws 8.20.1.

Node.js Information Disclosure Ws
NVD GitHub VulDB
EPSS 3% CVSS 5.3
MEDIUM POC PATCH This Month

ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Ws +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy