Ws Project Ws vulnerabilities
7 known vulnerabilities affecting ws_project/ws.
Total CVEs
7
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2016-10542P3HIGHCVSS 7.5PoC≤ 1.1.02018-05-31
CVE-2016-10542 [HIGH] CWE-400 CVE-2016-10542: ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
ghsanvdosv
CVE-2026-48779P3HIGHCVSS 7.5≥ 1.1.0, < 5.2.5≥ 6.0.0, < 6.2.4+2 more2026-06-17
CVE-2026-48779 [HIGH] CWE-400 CVE-2026-48779: ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network tr
ghsanvd
CVE-2026-45736P3HIGHCVSS 7.5≥ 8.0.0, < 8.20.12026-05-15
CVE-2026-45736 [HIGH] CWE-908 CVE-2026-45736: ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close()
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
ghsanvd
CVE-2016-10518P3HIGHCVSS 7.5fixed in 1.0.12018-05-31
CVE-2016-10518 [HIGH] CWE-201 CVE-2016-10518: A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clie
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need t
ghsanvdosv
CVE-2024-37890P3HIGH≥ 2.1.0, < 5.2.4≥ 6.0.0, < 6.2.3+2 more2024-06-17
CVE-2024-37890 [HIGH] CWE-476 ws affected by a DoS when handling a request with many HTTP headers
ws affected by a DoS when handling a request with many HTTP headers
### Impact
A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.
### Proof of concept
```js
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghij
ghsaosv
CVE-2020-35896P3HIGH≥ 0, ≤ 0.9.12021-08-25
CVE-2020-35896 [HIGH] CWE-400 Insufficient size checks in ws
Insufficient size checks in ws
An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack.
ghsaosv
CVE-2021-32640P4MEDIUMCVSS 5.3≥ 5.0.0, < 6.2.2≥ 7.0.0, < 7.4.62021-05-25
CVE-2021-32640 [MEDIUM] CWE-400 CVE-2021-32640: ws is an open source WebSocket client and server library for Node.js. A specially crafted value of t
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the i
ghsanvdosv