engine.io: Specially crafted HTTP request can trigger an uncaught exception

A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service...

Engine.IO 安全漏洞

Engine.IO is Engine.IO open source implementation of a transport-based cross-browser/cross-device bi-directional communication layer. A security vulnerability exists in Engine.IO versions 5.1.0 through 6.4.1, which stems from a specially crafted HTTP request that can trigger an uncaught exception...

4cs-cli (>=0.0.28 <=0.0.36), @3kles/3kles-socketio (>=1.0.0 <=1.0.5) +498 more potentially affected by CVE-2023-31125 via engine.io (>=5.1.1 <=6.3.1)

engine.io NPM version =5.1.1, =0.0.28, =1.0.0, =5.1.0, =0.0.0, =0.0.1-2.1-beta-provision, =2.2.6, =2.3.10, =2.2.6, =2.1.15, =2.8.10, =2.7.0, =2.7.0, =2.5.1, =2.7.0, =2.9.36 and more Source cves: CVE-2023-31125 Source advisory: OSV:GHSA-Q9MW-68C2-J6M5...

Malicious Package

Overview engine.io-client-v3 is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packa...

AZL-44820 CVE-2022-41940 affecting package js-jquery 3.5.0-4

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

Engine.IO 安全漏洞

Engine.IO is a transport-based implementation of Socket.IO's cross-browser/cross-device bi-directional communication layer.A denial-of-service vulnerability exists in versions of Socketio Engine.IO prior to 3.6.1, 4.0.0 and later, and prior to 6.2.1, which stems from a failure to properly handle...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1531 more potentially affected by CVE-2022-41940 via engine.io (>=4.0.6 <=6.1.3)

engine.io NPM version =4.0.6, =1.0.49, =1.0.0, =0.0.28, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =1.2.1, =1.0.1, =1.0.2 - @aaronconway7/create-gatsby-app =1.0.0 - @accio-cms/gatsby-starter-accio =0.0.1 - @achilleskal/awesome-blog =1.0.0 and more Source cves: CVE-2022-41940 Source advisory:...

@superdev-official/buffet-angular (=1.0.11), apps-b-builder (>=0.1.0 <=0.4.3) +9 more potentially affected by CVE-2022-25760 via accesslog (=0.0.2)

accesslog NPM version =0.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on accesslog and may be impacted: - @superdev-official/buffet-angular =1.0.11 - apps-b-builder =0.1.0, =0.6.0, =3.1.0, =0.1.0, =2.0.0, =0.4.0, =0.1.0, =0.4.1, =0.5.0 Source cves:...

10cartsharing (>=1.0.0 <=1.0.3), 1api (>=0.0.1 <=0.0.2) +7082 more potentially affected by CVE-2020-36048 via engine.io (>=0.1.0 <=3.5.0)

engine.io NPM version =0.1.0, =1.0.0, =0.0.1, =0.1.0, =1.0.2, =1.0.0-RC.1, =0.1.0, =1.0.0, =4.11.25, =0.1.4, =0.0.15, =0.0.16 and more Source cves: CVE-2020-36048 Source advisory: OSV:GHSA-J4F2-536G-R55M...

@3kles/3kles-socketio (>=1.0.0 <=1.0.5), @livejack/broker (=1.3.4) +22 more potentially affected by CVE-2022-21676 via engine.io (=6.0.1)

engine.io NPM version =6.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on engine.io and may be impacted: - @3kles/3kles-socketio =1.0.0, =0.1.0, =8.1.2, =1.4.0, =0.4.11, =0.4.0, =0.4.0, =0.4.10, =0.4.11, =0.4.5, =5.0.0, =1.0.0-alpha.1, =1.0.0-alpha....

GHSA-273R-MGR4-V34F Uncaught Exception in engine.io

Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo /.../nodemodules/ws/lib/receiver.js:176:14 at Receiver.startLoop...

CVE-2022-21676 Uncaught Exception in engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

PT-2022-15028 · Engine.Io +2 · Engine.Io +2

Content removed...

AZL-44673 CVE-2020-36048 affecting package js-jquery 3.5.0-4

Engine.IO before 4.0.0 allows attackers to cause a denial of service resource consumption via a POST request to the long polling transport...

CVE-2020-36048

Engine.IO before 4.0.0 allows attackers to cause a denial of service resource consumption via a POST request to the long polling transport...

Socketio Engineio Resource Management Error Vulnerability

Socketio Engineio is a Javascript-based real-time engine for bi-directional communication between browsers and devices from the Socketio community. A security vulnerability exists in Socketio Engine.IO before 4.0.0, which can be exploited by an attacker to cause a denial of service resource...

The vulnerability of Engine.IO’s WebSocket server protocol, related to the manipulation of cross-site requests, allows attackers to perform arbitrary actions on the vulnerable system.

The vulnerability of the WebSocket protocol in the Engine.IO web server is related to the manipulation of cross-site requests. Exploiting this vulnerability allows a malicious actor to perform arbitrary actions on the vulnerable system remotely...

1tp (>=0.0.1 <=0.11.2), 5aces-service-registry (=1.0.1) +498 more potentially affected by CVE-2016-10536 via engine.io-client (>=0.1.0 <=1.6.8)

engine.io-client NPM version =0.1.0, =0.0.1, =1.0.1, =0.12.0-edge9, =0.0.1, =1.8.4, =1.0.0, =1.0.30, =0.1.0, =2.0.0-beta.1, =3.6.0, =3.7.0 and more Source cves: CVE-2016-10536 Source advisory: OSV:GHSA-4R4M-HJWJ-43P8...