Vulnerabilities |
1 via 4 paths |
|---|---|
Dependencies |
453 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: ws
- Introduced through: wrangler@4.93.0 and @astrojs/cloudflare@13.5.2
Detailed paths
-
Introduced through: molecular-mars@alehar9320/astro-cloudflare-personal-website › wrangler@4.93.0 › miniflare@4.20260518.0 › ws@8.18.0
-
Introduced through: molecular-mars@alehar9320/astro-cloudflare-personal-website › @astrojs/cloudflare@13.5.2 › @cloudflare/vite-plugin@1.37.2 › ws@8.18.0
-
Introduced through: molecular-mars@alehar9320/astro-cloudflare-personal-website › @astrojs/cloudflare@13.5.2 › @cloudflare/vite-plugin@1.37.2 › miniflare@4.20260518.0 › ws@8.18.0
-
Introduced through: molecular-mars@alehar9320/astro-cloudflare-personal-website › @astrojs/cloudflare@13.5.2 › @cloudflare/vite-plugin@1.37.2 › wrangler@4.93.0 › miniflare@4.20260518.0 › ws@8.18.0
Overview
ws is a simple to use websocket client, server and console for node.js.
Affected versions of this package are vulnerable to Use of Uninitialized Resource in the websocket.close() implementation in the Sender class, which exposes uninitialized memory when a TypedArray is provided as the reason argument.
Note: The project maintainers note that this "flaw is only exploitable through misuse that is unlikely in practice".
PoC
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(`ws://localhost:${port}`, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
deepStrictEqual(reason, Buffer.alloc(80));
});
}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
Remediation
Upgrade ws to version 8.20.1 or higher.