CVE-2016-10518
remote memory disclosure vulnerability in ws (npm)
What is CVE-2016-10518 About?
This is a remote memory disclosure vulnerability in `ws` versions prior to 1.0.1, occurring when user-controlled arguments are passed to `client.ping()`. It can lead to the disclosure of sensitive information residing in allocated, but non-zero-filled memory buffers to a remote server. Exploitation is conditional on specific application logic allowing user control over `client.ping()` arguments, making it somewhat difficult to reliably exploit.
Affected Software
Technical Details
The vulnerability arises in ws versions prior to 1.0.1 when an application allows user-controlled arguments to be passed to the client.ping() method. Specifically, if a user can dictate the length argument for client.ping(), the ws library sends a buffer of that specified length as part of the ping frame. If this buffer happens to be allocated but not explicitly zero-filled by the operating system or previous memory management, it may contain remnants of previously used data. This uninitialized memory content is then transmitted to the remote server as part of the pong response, effectively disclosing potentially sensitive information that was previously stored in that memory region.
What is the Impact of CVE-2016-10518?
Successful exploitation may allow attackers to gain access to sensitive information, leading to unauthorized data exposure, compromise of confidentiality, and potential further attacks based on the disclosed data.
What is the Exploitability of CVE-2016-10518?
Exploitation of this vulnerability is of moderate complexity, requiring specific application logic where user input directly influences the arguments of a client.ping() call. No authentication or privileged access is needed, as the data disclosure occurs during a standard client-server communication initiated by the vulnerable client. The attack is remote, as the disclosed memory contents are sent to a remote server. A significant constraint is the reliance on uninitialized memory, meaning the content of the disclosed data is unpredictable and dependent on prior memory usage. The likelihood increases if the application frequently handles sensitive data in memory that is subsequently deallocated and then reallocated without sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-10518?
Available Upgrade Options
- ws
- <1.0.1 → Upgrade to 1.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/websockets/ws/releases/tag/1.0.1
- https://nodesecurity.io/advisories/67
- https://gist.github.com/c0nrad/e92005446c480707a74a
- https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795
- https://github.com/advisories/GHSA-2mhh-w6q8-5hxw
- https://gist.github.com/c0nrad/e92005446c480707a74a
- https://github.com/websockets/ws/releases/tag/1.0.1
- https://www.npmjs.com/advisories/67
- https://osv.dev/vulnerability/GHSA-2mhh-w6q8-5hxw
- https://nvd.nist.gov/vuln/detail/CVE-2016-10518
What are Similar Vulnerabilities to CVE-2016-10518?
Similar Vulnerabilities: CVE-2017-5753 , CVE-2014-0160 , CVE-2018-3615 , CVE-2016-5195 , CVE-2019-1125
