CVE-2023-31125

Engine.IO in socket.io is affected by an uncaught exception vulnerability that can crash the Node.js process via a specially crafted HTTP request. Affected versions include Engine.IO 5.1.0 and 4.1.0 of the socket.io parent package; older versions are not impacted. The issue is fixed in Engine.IO ...

CVE-2023-31125 Uncaught exception in engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A...

CVE-2023-31125 Uncaught exception in engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A...

engine.io Uncaught Exception vulnerability

Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. TypeError: Cannot read properties of undefined reading 'handlesUpgrades' at Server.onWebSocket build/server.js:515:67 This impacts all the users of the engine.io...

Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.9 and earlier

Summary This fix upgrades to socket.io 4.5.4, protobuf-java 3.21.9 and nodejs 14.21.1. Vulnerability Details CVEID:CVE-2022-41940 DESCRIPTION: Socket.IO Engine.IO is vulnerable to a denial of service, caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote...

NodeBB vulnerable to account takeover via prototype vulnerability

Impact Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. Patches Patched in 2.6.1 Workarounds Site maintainers can cherry-pick...

GHSA-RF3G-V8P5-P675 NodeBB vulnerable to account takeover via prototype vulnerability

Impact Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. Patches Patched in 2.6.1 Workarounds Site maintainers can cherry-pick...

CVE-2022-46164

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised ...

PT-2022-27780 · Nodebb · Nodebb

Name of the Vulnerable Software and Affected Versions: NodeBB versions prior to 2.6.1 Description: The issue arises from a plain object with a prototype being used in socket.io message handling, allowing a specially crafted payload to impersonate other users and takeover accounts. Recommendations...

CVE-2022-41940

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

Cross site scripting

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

CVE-2022-41940 Uncaught exception in engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

CVE-2022-41940

CVE-2022-41940 affects Engine.IO, the transport layer used by Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, causing the Node.js process to crash and resulting in a denial of service. Affected are Engine.IO versions prior to patches released...

Uncaught exception in engine.io

Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. events.js:292 throw er; // Unhandled 'error' event ^ Error: read ECONNRESET at TCP.onStreamRead internal/streambasecommons.js:209:20 Emitted 'error' event on Socket...

GHSA-R7QP-CFHV-P84W Uncaught exception in engine.io

Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. events.js:292 throw er; // Unhandled 'error' event ^ Error: read ECONNRESET at TCP.onStreamRead internal/streambasecommons.js:209:20 Emitted 'error' event on Socket...

Type Confusion

socket.io-parser is vulnerable to type confusion. It is possible to overwrite the placeholder object due to improper type validation of attachment parsing in the reconstructPacket function, which allows an attacker to place references to functions at arbitrary places in the resulting query object...

GHSA-QM95-PGCG-QQFQ Insufficient validation when decoding a Socket.IO packet

Due to improper type validation in the socket.io-parser library which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets, it is possible to overwrite the placeholder object which allows an attacker to place references to functions at arbitrary places in...

Insufficient validation when decoding a Socket.IO packet

Due to improper type validation in the socket.io-parser library which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets, it is possible to overwrite the placeholder object which allows an attacker to place references to functions at arbitrary places in...

@asigna/stx-core-sdk (=0.0.1), @casper124578/use-socket.io (>=2.1.0 <=4.1.0) +133 more potentially affected by CVE-2022-2421 via socket.io-parser (=4.1.2)

socket.io-parser NPM version =4.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on socket.io-parser and may be impacted: - @asigna/stx-core-sdk =0.0.1 - @casper124578/use-socket.io =2.1.0, =31.0.0, =34.0.0, =34.0.0, =1.0.0, =1.0.0, =1.0.1, =0.6.0,...

CVE-2022-2421

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object...