CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-45736 |
MEDIUM |
ws |
8.18.3 |
8.20.1 |
2026-05-15T15:16:54.103Z |
2026-05-19T10:18:21.029947541Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:e2370b8101db325bd8c72058fb94247b795e3493769b770821f834aee6b46a3a |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:8a42dd9dd8864a07029e4f78123952ab007cc68c33f3866ec74106635a1d1a93 |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:e2370b8101db325bd8c72058fb94247b795e3493769b770821f834aee6b46a3a |
Description
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
Remediation Steps
- Update the affected package
ws from version 8.18.3 to 8.20.1.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
MEDIUMws8.18.38.20.12026-05-15T15:16:54.103Z2026-05-19T10:18:21.029947541ZAffected Docker Images
public.ecr.aws/lambda/nodejs:latestpublic.ecr.aws/lambda/nodejs@sha256:e2370b8101db325bd8c72058fb94247b795e3493769b770821f834aee6b46a3apublic.ecr.aws/lambda/nodejs:24public.ecr.aws/lambda/nodejs@sha256:8a42dd9dd8864a07029e4f78123952ab007cc68c33f3866ec74106635a1d1a93public.ecr.aws/lambda/nodejs:22public.ecr.aws/lambda/nodejs@sha256:e2370b8101db325bd8c72058fb94247b795e3493769b770821f834aee6b46a3aDescription
Remediation Steps
wsfrom version8.18.3to8.20.1.About this issue