Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-273R-MGR4-V34F
HistoryJan 13, 2022 - 4:14 p.m.

Uncaught Exception in engine.io

2022-01-1316:14:17
CWE-754
CWE-755
GitHub Advisory Database
github.com
16

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

61.9%

JSON

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
> at Receiver.getInfo (/…/node_modules/ws/lib/receiver.js:176:14)
> at Receiver.startLoop (/…/node_modules/ws/lib/receiver.js:136:22)
> at Receiver._write (/…/node_modules/ws/lib/receiver.js:83:10)
> at writeOrBuffer (internal/streams/writable.js:358:12)

This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.

Patches

A fix has been released for each major branch:

Version range Fixed version
[email protected] 4.1.2
[email protected] 5.2.1
[email protected] 6.1.1

Previous versions (< 4.0.0) are not impacted.

For socket.io users:

Version range engine.io version Needs minor update?
[email protected] ~6.1.0 -
[email protected] ~6.0.0 Please upgrade to [email protected]
[email protected] ~5.2.0 -
[email protected] ~5.1.1 Please upgrade to [email protected]
[email protected] ~5.0.0 Please upgrade to [email protected]
[email protected] ~4.1.0 -
[email protected] ~4.0.0 Please upgrade to [email protected] or [email protected] (see here)

In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

CPENameOperatorVersion
engine.iolt6.1.1
engine.iolt5.2.1
engine.iolt4.1.2

Related

veracode 1
cve 1
prion 1
osv 2
ibm 2
veracode
veracode
Denial Of Service (DoS)
2022-01-13 09:39:39
cve
cve
CVE-2022-21676
2022-01-12 19:15:00
prion
prion
Cross site scripting
2022-01-12 19:15:00
osv
osv
Uncaught Exception in engine.io
2022-01-13 16:14:17
CVE-2022-21676
2022-01-12 19:15:09
ibm
ibm
Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities
2023-05-17 15:25:17
Security Bulletin: IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities
2022-07-25 13:54:06

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

61.9%

JSON
Related for GHSA-273R-MGR4-V34F
veracode1cve1prion1osv2ibm2