CVE-2016-10542

⚠️ high

Summary

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

CVSS Score

7.5

High

EPSS Score

66.1

Exploit Probability

Published Date

2018-05-31

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 328,009 vulnerabilities in our database.

#101,817

Above average severity

Severity Percentile

Last Modified 2024-11-21

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE IDs (Weakness Types)

CWE-400 CWE-20

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
ws_project	ws	Affected	≤ 1.1.0

🔗 References 2

https://github.com/nodejs/node/issues/7388

Issue Tracking Third Party Advisory

https://nodesecurity.io/advisories/120

Third Party Advisory

🔗 Related CVEs 3

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-45736	🔶 medium	4.4	0.0	ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is v...	2026-05-15
CVE-2021-32640	🔶 medium	5.3	0.5	ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Pr...	2021-05-25
CVE-2016-10518	⚠️ high	7.5	0.4	A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memo...	2018-05-31

These CVEs affect the same products