CVE-2026-45736 Overview
CVE-2026-45736 is an uninitialized memory disclosure vulnerability in ws, the popular open source WebSocket client and server library for Node.js. The flaw resides in the websocket.close() implementation, which fails to properly handle TypedArray values passed as the reason argument. When triggered, the function transmits uninitialized buffer memory to the remote peer, potentially leaking process memory contents over the network. The issue is tracked under [CWE-908: Use of Uninitialized Resource] and was fixed in ws version 8.20.1.
Critical Impact
Remote attackers or peers can receive fragments of uninitialized Node.js process memory through crafted WebSocket close frames, exposing potentially sensitive in-process data.
Affected Products
- ws (WebSocket library for Node.js) — all versions prior to 8.20.1
- Node.js applications and frameworks that depend on ws as a transitive or direct dependency
- Server and client implementations invoking websocket.close() with TypedArray reason arguments
Discovery Timeline
- 2026-05-15 - CVE-2026-45736 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45736
Vulnerability Analysis
The ws library exposes a websocket.close(code, reason) API that allows callers to send a WebSocket close frame with an optional reason payload. Prior to version 8.20.1, the close frame construction logic in lib/sender.js did not validate that the reason argument was a plain Buffer or string. When a TypedArray such as Uint8Array, Uint16Array, or Float32Array was passed, the implementation allocated a buffer sized for the reason but did not correctly copy the typed array contents into the allocated region.
The resulting close frame was transmitted with the unwritten portion of the allocation still containing residual heap memory from prior allocations. That residual memory can include fragments of HTTP headers, session tokens, request bodies, cryptographic material, or any other data previously held by the Node.js process. The patch introduces an isUint8Array check using util.types to ensure typed array inputs are normalized before serialization.
Root Cause
The root cause is improper handling of TypedArray objects in the close frame serializer. TypedArray instances are not Buffer instances, so they bypass the standard Buffer.from() copy path. The serializer allocated memory based on the declared byte length but did not initialize or fully populate the destination, leaving uninitialized bytes in the outbound frame [CWE-908].
Attack Vector
Exploitation requires that an application accept a TypedArray value into the reason parameter of websocket.close(). This can occur in proxy implementations, gateway services, or any application that forwards client-supplied close reasons. The attacker observes the resulting close frame on the wire and extracts uninitialized memory bytes. The attack is network-based, requires no authentication, and no user interaction.
// Patch excerpt from lib/sender.js (ws 8.20.1)
const { Duplex } = require('stream');
const { randomFillSync } = require('crypto');
+const {
+ types: { isUint8Array }
+} = require('util');
const PerMessageDeflate = require('./permessage-deflate');
const { EMPTY_BUFFER, kWebSocket, NOOP } = require('./constants');
// Source: https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086
The patch imports isUint8Array from Node.js util.types so the sender can detect typed array inputs and normalize them before constructing the close frame.
Detection Methods for CVE-2026-45736
Indicators of Compromise
- Outbound WebSocket close frames containing non-printable or high-entropy bytes in the reason field that do not match application-defined close reasons.
- Anomalous close frame payloads of consistent length but varying content across sessions, suggesting buffer reuse leakage.
- Application logs showing websocket.close() invocations with TypedArray arguments originating from untrusted input sources.
Detection Strategies
- Inventory all Node.js applications and identify dependencies on ws versions prior to 8.20.1 using npm ls ws or software composition analysis tooling.
- Inspect application source code for calls to ws.close() or websocket.close() where the reason parameter accepts client-controlled or TypedArray data.
- Deploy WebSocket traffic inspection at gateways to flag close frames with reason payloads that deviate from documented application values.
Monitoring Recommendations
- Enable verbose logging on WebSocket termination events, capturing the type and origin of the reason argument.
- Monitor egress traffic from Node.js services for unusual WebSocket close frame sizes or entropy patterns.
- Integrate dependency scanning into continuous integration pipelines to fail builds that pull vulnerable ws versions.
How to Mitigate CVE-2026-45736
Immediate Actions Required
- Upgrade ws to version 8.20.1 or later in all Node.js applications and rebuild deployment artifacts.
- Audit application code paths that forward client-supplied data into websocket.close() and reject TypedArray inputs at the application boundary.
- Restart long-running Node.js services after upgrade to ensure the patched library is loaded into memory.
Patch Information
The vulnerability is fixed in ws version 8.20.1. The fix is committed in websockets/ws commit c0327ec and described in the GitHub Security Advisory GHSA-58qx-3vcg-4xpx. Application owners should update package.json and lock files, then verify the resolved version using npm ls ws.
Workarounds
- Coerce all reason arguments to Buffer or string before invoking websocket.close(), for example Buffer.from(reason.buffer, reason.byteOffset, reason.byteLength).
- Restrict the reason parameter to a fixed enumeration of application-defined strings rather than passing client-controlled data.
- Place untrusted WebSocket termini behind a reverse proxy that strips or rewrites close frame reason payloads.
# Upgrade ws to the patched version
npm install ws@^8.20.1
# Verify the resolved version across the dependency tree
npm ls ws
# Audit for known advisories
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
