Описание
Feathers socket handler allows abusing implicit toString
Impact
Feathers socket handler did not catch invalid string conversion errors like:
Causing the NodeJS process to crash when sending an unexpected Socket.io message like
Patches
A fix has been released in
v5.0.8via #3241v4.5.18via #3242
Workarounds
Since it is in the core Socket handling code upgrading to the latest version is necessary.
References
Ссылки
- https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
- https://nvd.nist.gov/vuln/detail/CVE-2023-37899
- https://github.com/feathersjs/feathers/pull/3241
- https://github.com/feathersjs/feathers/pull/3242
- https://github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8
- https://github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821c
- https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
- https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19
Пакеты
@feathersjs/socketio
<= 4.5.17
4.5.18
@feathersjs/socketio
>= 5.0.0, <= 5.0.7
5.0.8
@feathersjs/transport-commons
<= 4.5.17
4.5.18
@feathersjs/transport-commons
>= 5.0.0, <= 5.0.7
5.0.8
Связанные уязвимости
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.