7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
29.6%
Feathers socket handler did not catch invalid string conversion errors like:
const message = `${{ toString: '' }}`
Causing the NodeJS process to crash when sending an unexpected Socket.io message like
socket.emit('find', { toString: '' })
A fix has been released in
v5.0.8
via #3241v4.5.18
via #3242Since it is in the core Socket handling code upgrading to the latest version is necessary.
CPE | Name | Operator | Version |
---|---|---|---|
@feathersjs/transport-commons | le | 5.0.7 | |
@feathersjs/transport-commons | le | 4.5.17 | |
@feathersjs/socketio | le | 5.0.7 | |
@feathersjs/socketio | le | 4.5.17 |
github.com/advisories/GHSA-hhr9-rh25-hvf9
github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19
github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8
github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821c
github.com/feathersjs/feathers/pull/3241
github.com/feathersjs/feathers/pull/3242
github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
nvd.nist.gov/vuln/detail/CVE-2023-37899