GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
Details
### Impact
The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument.
### Proof of concept
```js import { deepStrictEqual } from 'node:assert'; import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer( { port: 0, skipUTF8Validation: true }, function () { const { port } = wss.address(); const ws = new WebSocket(`ws://localhost:${port}`, { skipUTF8Validation: true });
ws.on('close', function (code, reason) { deepStrictEqual(reason, Buffer.alloc(80)); }); } );
wss.on('connection', function (ws) { ws.close(1000, new Float32Array(20)); }); ```
### Patches
The vulnerability was fixed in ws@8.20.1 (https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086).
### Credits
Credit for the private and responsible disclosure of this issue goes to [Nikita Skovoroda](https://github.com/ChALkeR).
### Remarks
Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.
### Resources
- https://github.com/advisories/GHSA-58qx-3vcg-4xpx - https://www.cve.org/CVERecord?id=CVE-2026-45736
Are you affected?
Enter the version of the package you're using.