Summary
The ws dependency is pinned at 8.20.0 in package.json, which is affected by CVE-2026-45736 / GHSA-58qx-3vcg-4xpx — an uninitialized memory disclosure vulnerability in websocket.close().
Details
- Affected versions: ws >= 8.0.0, < 8.20.1
- Patched version: ws 8.20.1
- Severity: Moderate (CVSS 4.4)
- CWE: CWE-908 (Use of Uninitialized Resource)
The vulnerability allows uninitialized memory to be disclosed to a remote peer when a TypedArray (e.g. Float32Array) is passed as the reason argument for websocket.close(), rather than the supported string or Buffer types.
Fix
Bump ws from 8.20.0 to 8.20.1 in package.json. This is a patch-level semver update with no breaking changes.
Environment
- pm2 version: 7.0.1 (master) / 7.0.2 (development)
- Node.js version: v22
- OS: Ubuntu Linux
References
Summary
The
wsdependency is pinned at8.20.0inpackage.json, which is affected by CVE-2026-45736 / GHSA-58qx-3vcg-4xpx — an uninitialized memory disclosure vulnerability inwebsocket.close().Details
The vulnerability allows uninitialized memory to be disclosed to a remote peer when a
TypedArray(e.g.Float32Array) is passed as thereasonargument forwebsocket.close(), rather than the supported string orBuffertypes.Fix
Bump
wsfrom8.20.0to8.20.1inpackage.json. This is a patch-level semver update with no breaking changes.Environment
References