Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package ws, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2016-10518 — CVSS 7.5 (high): A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a…
CVE-2016-10542 — CVSS 7.5 (high): ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455"…
CVE-2024-37890 — CVSS 7.5 (high): ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount…
CVE-2026-48779 — CVSS 7.5 (high): ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to…
CVE-2021-32640 — CVSS 5.3 (medium): ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can…
CVE-2026-45736 — CVSS 4.4 (medium): ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to…