GitHub Advisory DatabaseGHSA-GPW9-FWM8-7RX7DoS vulnerability for apps with sockets enabled
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
29.4%
Impact
In Sails apps <=v1.5.6, an attacker can send a virtual request that will cause the node process to crash.
Patches
This behavior was fixed in Sails v1.5.7
Workarounds
Disable the sockets hook and remove the sails.io.js client
References
https://github.com/balderdashy/sails/pull/7287
Big thanks to @ThomasRinsma at Codean!
Affected configurations
References
github.com/advisories/GHSA-gpw9-fwm8-7rx7
github.com/balderdashy/sails/commit/4a023dc5095a4b30fdc8535f705ed34cd22d2f7d
github.com/balderdashy/sails/pull/7287
github.com/balderdashy/sails/releases/tag/v1.5.7
github.com/balderdashy/sails/security/advisories/GHSA-gpw9-fwm8-7rx7
nvd.nist.gov/vuln/detail/CVE-2023-38504
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
29.4%