CVE-2026-45736 websockets CVE debrief

Who should care

Teams running Node.js applications or services that depend on ws, especially code paths that call websocket.close() and may accept or transform TypedArray input for the close reason.

Technical summary

According to the supplied advisory text, versions of ws prior to 8.20.1 can expose uninitialized memory when websocket.close() is invoked with a TypedArray reason value. The NVD metadata supplied with the record classifies the issue as CVSS 4.4/Medium with vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N and lists CWE-908. The supplied references point to the upstream ws security advisory and the fixing commit.

Defensive priority

Medium priority: patch during the next maintenance window, and sooner if your application exposes websocket.close() through code paths that can be influenced by remote or multi-tenant input.

Recommended defensive actions

• Upgrade ws to 8.20.1 or later as soon as practical.
• Inventory services and libraries that depend on ws and confirm whether they use websocket.close() with reason values derived from application data.
• Review any code that passes TypedArray objects into websocket.close(), and avoid doing so until the upgrade is complete.
• After upgrading, verify dependency resolution so transitive ws copies are also brought to 8.20.1 or newer.

Evidence notes

The source corpus is limited to the NVD record and the upstream GitHub advisory/commit references. The advisory description explicitly says the vulnerability exists prior to 8.20.1 and is fixed in 8.20.1. NVD metadata for this record is marked "Undergoing Analysis" at the supplied modified time and includes the referenced upstream advisory and commit. No KEV entry was supplied.

Official resources