VulnerableCode Package Details

Search for packages

Vulnerability	Summary	Fixed by
VCID-37mw-j411-a3az Aliases: CVE-2016-10542 GHSA-6663-c963-2gqg	Improper Input Validation ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.	1.1.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3znc-67dk-13bu Aliases: GMS-2016-2	Remote Memory Disclosure When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.	1.0.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-4851-mkc2-pqdw Aliases: GMS-2017-331	Denial of Service A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.	3.3.1 Affected by 0 other vulnerabilities.
VCID-4u5m-kp7t-x3cf Aliases: GHSA-5v72-xg48-5rpm GMS-2019-145	Denial of Service in ws Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r' ].join('\r'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` ## Recommendation Update to version 3.3.1 or later.	1.1.5 Affected by 0 other vulnerabilities. 3.3.1 Affected by 0 other vulnerabilities.
VCID-hedn-18sd-bba2 Aliases: GMS-2016-38	DoS due to excessively large websocket message It is possible to crash the node process by sending an overly long websocket payload to a ws server.	1.1.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ja5c-kd68-67f3 Aliases: CVE-2016-10518 GHSA-2mhh-w6q8-5hxw	Improper Restriction of Operations within the Bounds of a Memory Buffer A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.	1.0.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-37mw-j411-a3az
Aliases:
CVE-2016-10542
GHSA-6663-c963-2gqg

Improper Input Validation ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

1.1.1
Affected by 2 other vulnerabilities.

VCID-3znc-67dk-13bu
Aliases:
GMS-2016-2

Remote Memory Disclosure When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.

1.0.1
Affected by 4 other vulnerabilities.

VCID-4851-mkc2-pqdw
Aliases:
GMS-2017-331

Denial of Service A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.

3.3.1
Affected by 0 other vulnerabilities.

VCID-4u5m-kp7t-x3cf
Aliases:
GHSA-5v72-xg48-5rpm
GMS-2019-145

Denial of Service in ws Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r' ].join('\r'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` ## Recommendation Update to version 3.3.1 or later.

1.1.5
Affected by 0 other vulnerabilities.

3.3.1
Affected by 0 other vulnerabilities.

VCID-hedn-18sd-bba2
Aliases:
GMS-2016-38

DoS due to excessively large websocket message It is possible to crash the node process by sending an overly long websocket payload to a ws server.

1.1.1
Affected by 2 other vulnerabilities.

VCID-ja5c-kd68-67f3
Aliases:
CVE-2016-10518
GHSA-2mhh-w6q8-5hxw

Improper Restriction of Operations within the Bounds of a Memory Buffer A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

1.0.1
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T09:56:56.482438+00:00	GitLab Importer	Affected by	VCID-4u5m-kp7t-x3cf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2019-145.yml	38.6.0
2026-05-31T09:54:13.648839+00:00	GitLab Importer	Affected by	VCID-ja5c-kd68-67f3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/CVE-2016-10518.yml	38.6.0
2026-05-31T09:54:05.629204+00:00	GitLab Importer	Affected by	VCID-37mw-j411-a3az	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/CVE-2016-10542.yml	38.6.0
2026-05-31T09:41:42.889828+00:00	GitLab Importer	Affected by	VCID-4851-mkc2-pqdw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2017-331.yml	38.6.0
2026-05-31T09:35:46.627543+00:00	GitLab Importer	Affected by	VCID-hedn-18sd-bba2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2016-38.yml	38.6.0
2026-05-31T09:34:54.027347+00:00	GitLab Importer	Affected by	VCID-3znc-67dk-13bu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2016-2.yml	38.6.0