Описание
Insufficient validation when decoding a Socket.IO packet
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Patches
A fix has been released today (2023/05/22):
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in
socket.io-parser@4.2.3 - https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in
socket.io-parser@3.4.3
Another fix has been released for the 3.3.x branch:
- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4
socket.io version | socket.io-parser version | Needs minor update? |
|---|---|---|
4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient |
4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x |
3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x |
3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x |
2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open a discussion here
Thanks to @rafax00 for the responsible disclosure.
Ссылки
- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
- https://nvd.nist.gov/vuln/detail/CVE-2023-32695
- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9
- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3
- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4
- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3
Пакеты
socket.io-parser
>= 4.0.4, < 4.2.3
4.2.3
socket.io-parser
>= 3.4.0, < 3.4.3
3.4.3
socket.io-parser
< 3.3.4
3.3.4
EPSS
6.9 Medium
CVSS4
7.3 High
CVSS3
CVE ID
Дефекты
Связанные уязвимости
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
socket.io parser is a socket.io encoder and decoder written in JavaScr ...
EPSS
6.9 Medium
CVSS4
7.3 High
CVSS3