CVE-2022-41940

2022-11-2201:15:37

Google

osv.dev

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.9%

JSON

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

CPENameOperatorVersion
engine.ioeq4.0.6
engine.ioeq4.1.1
engine.ioeq2.0.0
engine.ioeq1.6.4
engine.ioeq0.2.0
engine.ioeq5.1.1
engine.ioeq1.8.2
engine.ioeq0.7.2
engine.ioeq6.1.3
engine.ioeq0.8.0

Name	Operator	Version
engine.io	eq	4.0.6
engine.io	eq	4.1.1
engine.io	eq	2.0.0
engine.io	eq	1.6.4
engine.io	eq	0.2.0
engine.io	eq	5.1.1
engine.io	eq	1.8.2
engine.io	eq	0.7.2
engine.io	eq	6.1.3
engine.io	eq	0.8.0