GHSA-58qx-3vcg-4xpx

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

Patches

The vulnerability was fixed in ws@8.20.1 (https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086).

Credits

Credit for the private and responsible disclosure of this issue goes to Nikita Skovoroda.

Remarks

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Resources

https://github.com/advisories/GHSA-58qx-3vcg-4xpx
https://www.cve.org/CVERecord?id=CVE-2026-45736

Database specific

{
    "cwe_ids": [
        "CWE-908"
    ],
    "github_reviewed_at": "2026-05-18T19:02:40Z",
    "nvd_published_at": "2026-05-15T15:16:54Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / ws

Package

Name: ws; View open source insights on deps.dev
Purl: pkg:npm/ws

Affected ranges

Type: SEMVER
Events: Introduced

8.0.0

Fixed

8.20.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-58qx-3vcg-4xpx/GHSA-58qx-3vcg-4xpx.json"