CVE-2026-45736

MEDIUM NVD

CVSS Score 4.4

Severity MEDIUM

Published May 15, 2026

Vendor unknown

Description

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

References

https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086
https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx