CVE-2026-45736
MediumCVSS 4.4Exploitation Probability (EPSS)
Elevated risk50th percentile - higher than 50% of all known CVEs
Summary
In the ws WebSocket library for Node.js prior to version 8.20.1, a vulnerability allows uninitialized memory disclosure when a TypedArray is passed as the reason argument to websocket.close().
Risk Assessment
An attacker could exploit this flaw to read portions of process memory, potentially leaking sensitive data such as keys, tokens, or other confidential information.
Recommendation
Upgrade the ws library to version 8.20.1 or later immediately, as it contains the fix for this vulnerability.
Original NVD description (English source)
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

