CVE-2026-45736

🔶 medium

Summary

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

CVSS Score

4.4

Medium

EPSS Score

0.0

Exploit Probability

Published Date

2026-05-15

First Seen: 2026-05-17

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 11.6% of all 325,680 vulnerabilities in our database.

#287,921

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 16, 2026

🔍 Exploitation Status

Poc

Proof-of-concept available

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

Last Modified 2026-05-19

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE IDs (Weakness Types)

CWE-908

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
ws_project	ws	Affected	> 8.0.0 < 8.20.1

🔗 References 2

🔗 Related CVEs 3

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2021-32640	🔶 medium	5.3	0.5	ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Pr...	2021-05-25
CVE-2016-10518	⚠️ high	7.5	0.4	A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memo...	2018-05-31
CVE-2016-10542	⚠️ high	7.5	66.1	ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date ...	2018-05-31

These CVEs affect the same products