Lucene search

K
githubGitHub Advisory DatabaseGHSA-CQMJ-92XF-R6R9
HistoryMay 23, 2023 - 7:55 p.m.

Insufficient validation when decoding a Socket.IO packet

2023-05-2319:55:13
CWE-20
CWE-754
GitHub Advisory Database
github.com
60
node.js
socket.io
validation
exception
server
security advisory

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

65.4%

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

Another fix has been released for the 3.3.x branch:

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to [email protected]
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to [email protected]
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to [email protected]
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Affected configurations

Vulners
Node
socket.ioparserRange<3.3.4
OR
socket.ioparserRange<4.2.3
OR
socket.ioparserRange<3.4.3

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

65.4%