Leaking the Tail of a Buffer: The ws WebSocket Library's Uninitialized Memory Disclosure

Some of the most consequential vulnerabilities live in code almost no one names directly but nearly everyone runs. The ws library — the dominant WebSocket client and server implementation for Node.js — is one of those dependencies, sitting beneath countless web applications, real-time services, and frameworks. CVE-2026-45736 is a memory-disclosure flaw in ws that, while modest in its CVSS score, is worth dissecting because it illustrates a category of bug that is easy to introduce and easy to overlook: leaking uninitialized memory back to the network.

The National Vulnerability Database record is concise. Prior to version 8.20.1, “the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.” The WebSocket protocol allows a closing endpoint to send a short reason string explaining why it is terminating the connection. In ws, an application could supply that reason as a JavaScript TypedArray — a view onto a binary buffer. The defect is in how the library copied that reason into the close frame it sent over the wire. The fix arrived in ws 8.20.1.

The CWE class: use of uninitialized resource

NVD classifies the flaw as CWE-908: Use of Uninitialized Resource. This weakness describes a program that uses a resource — here, a region of memory — before it has been properly initialized with intended data. In memory-safe-ish runtimes and in low-level buffer handling alike, allocating a buffer does not guarantee it is zeroed; it may still contain whatever bytes were last written to that memory by a previous operation. If a program allocates a buffer of a given length but only fills part of it, then sends or exposes the whole buffer, the unfilled bytes are leaked. Those leftover bytes can contain fragments of other data the process handled — other users’ messages, internal state, or, in the worst cases, secrets.

The TypedArray detail is the crux. A TypedArray is a typed view that may reference only a slice of a larger underlying ArrayBuffer, and it carries both a byte offset and a length. When code mishandles those properties — for instance, allocating an output buffer based on one length but copying based on another, or failing to account for the view’s offset — it can end up with a destination buffer whose tail was never written. Sending that buffer as the close reason ships uninitialized bytes to the peer. An attacker positioned to receive close frames, or to induce a server into closing connections with attacker-influenced parameters, could harvest those leaked bytes and, over many connections, reconstruct fragments of process memory. The 8.20.1 fix corrects the buffer handling so that only properly initialized, intended data is placed in the frame.

Why the CVSS is 4.4 Medium

The record assigns a CVSS v3.1 base score of 4.4 (Medium), vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N. The number is comparatively low, and the vector explains why — this is a case where understanding the metrics matters more than the headline score. The impact is confined to confidentiality (C:H, because leaked memory can include sensitive data) with no integrity or availability impact (I:N/A:N); the bug discloses information, it does not corrupt or crash anything. More importantly, two metrics suppress the score: Attack Complexity is High (AC:H) and Privileges Required is High (PR:H). The high complexity reflects that exploitation depends on specific conditions — the application must pass a TypedArray as the close reason, and the attacker must be able to observe the leaked frames and make sense of essentially random memory fragments. The high-privilege requirement reflects that triggering the vulnerable path generally depends on a privileged or trusted position relative to the application’s use of the API.

That scoring is a useful reminder that severity is contextual. A memory disclosure is not automatically catastrophic, but it is not nothing: information leaks are frequently a building block in larger attacks, helping defeat address-space layout randomization or exposing tokens that enable a more serious follow-on. For a library as widely embedded as ws, even a Medium-rated leak is worth patching promptly because the same code runs in an enormous number of deployments with very different sensitivities.

What is affected and how to remediate

The affected component is the ws Node.js WebSocket library in all versions prior to 8.20.1, with the fix in 8.20.1. The remediation is to upgrade ws to 8.20.1 or later. Because ws is almost always a transitive dependency — pulled in by frameworks and higher-level libraries rather than installed directly — the practical work is to run a dependency audit (for example, npm audit or an SCA tool) and to update or override the resolved ws version across the dependency tree. Lockfiles should be checked to confirm the patched version actually resolves, since a vulnerable copy can persist deep in the tree even after a top-level update.

The structural takeaway for developers extends beyond this single CVE. Whenever code copies data of attacker- or caller-influenced length into a fixed buffer and then transmits that buffer, the discipline is to ensure every byte sent is a byte intentionally written — allocate to the exact filled length, account for TypedArray offsets and lengths explicitly, and never trust that freshly allocated memory is empty. CVE-2026-45736 is a small bug with a clear fix, but the class it belongs to — leaking uninitialized memory across a trust boundary — has produced some of the most damaging disclosures in the industry’s history. Patching ws is the easy part; carrying the lesson into your own buffer-handling code is the durable one.