CVE Catalog

CVE-2026-45736

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.75%

50th percentile - higher than 50% of all known CVEs

Summary

In the ws WebSocket library for Node.js prior to version 8.20.1, a vulnerability allows uninitialized memory disclosure when a TypedArray is passed as the reason argument to websocket.close().

Risk Assessment

An attacker could exploit this flaw to read portions of process memory, potentially leaking sensitive data such as keys, tokens, or other confidential information.

Recommendation

Upgrade the ws library to version 8.20.1 or later immediately, as it contains the fix for this vulnerability.

Original NVD description (English source)

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS