[security] Fix uninitialized memory disclosure in websocket.close()

lpinca · lpinca · commit c0327ec15a54 · 2026-05-12T17:42:19.000+02:00
When the `reason` argument for `websocket.close()` is a `TypedArray`
instead of a string or `Buffer`, the function does not correctly
overwrite the dirty buffer allocated via `Buffer.allocUnsafe()`. This
results in the disclosure of uninitialized memory, potentially leaking
sensitive data to the remote peer.

Add stricter validation for the argument type.
diff --git a/lib/sender.js b/lib/sender.js
@@ -4,6 +4,9 @@
 
 const { Duplex } = require('stream');
 const { randomFillSync } = require('crypto');
+const {
+  types: { isUint8Array }
+} = require('util');
 
 const PerMessageDeflate = require('./permessage-deflate');
 const { EMPTY_BUFFER, kWebSocket, NOOP } = require('./constants');
@@ -200,8 +203,10 @@ class Sender {
 
       if (typeof data === 'string') {
         buf.write(data, 2);
-      } else {
+      } else if (isUint8Array(data)) {
         buf.set(data, 2);
+      } else {
+        throw new TypeError('Second argument must be a string or a Uint8Array');
       }
     }
 
diff --git a/test/sender.test.js b/test/sender.test.js
@@ -439,6 +439,16 @@ describe('Sender', () => {
       );
     });
 
+    it('throws an error if the second argument is invalid', () => {
+      const mockSocket = new MockSocket();
+      const sender = new Sender(mockSocket);
+
+      assert.throws(
+        () => sender.close(1000, new Float32Array(20)),
+        /^TypeError: Second argument must be a string or a Uint8Array$/
+      );
+    });
+
     it('throws an error if the message is greater than 123 bytes', () => {
       const mockSocket = new MockSocket();
       const sender = new Sender(mockSocket);
