Affected versions of `ws` do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

## Recommendation

Update to version 1.1.1 or later.
Alternatively, set the `maxpayload` option for the `ws` server to a value smaller than 256MB.

Affected Packages

npm ws

Affected versions: 0 (fixed in 1.1.1)

Related CVEs

CVE-2016-10542

Key Information

GHSA ID

GHSA-6663-c963-2gqg

Published

February 18, 2019 11:58 PM

Last Modified

August 31, 2020 6:11 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.