CVE-2016-10518

Name of the Vulnerable Software and Affected Versions ws versions prior to 1.0.1

Description A vulnerability was found in the ping functionality of the ws module, allowing clients to allocate memory by sending a ping frame. The ping functionality responds with a pong frame and the previously given payload of the ping frame. Internally, ws transforms all data to be sent into a Buffer instance without checking the type of data, which leads to the vulnerability. This issue can cause a remote memory disclosure in certain circumstances, potentially disclosing sensitive information that still exists in memory after previous use.

Recommendations Update to version 1.0.1 or greater. As a temporary workaround, consider restricting the use of the client.ping() function to minimize the risk of exploitation.