GHSA-r7qp-cfhv-p84w

Опубликовано: 21 нояб. 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Uncaught exception in engine.io

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292 throw er; // Unhandled 'error' event ^ Error: read ECONNRESET at TCP.onStreamRead (internal/stream_base_commons.js:209:20) Emitted 'error' event on Socket instance at: at emitErrorNT (internal/streams/destroy.js:106:8) at emitErrorCloseNT (internal/streams/destroy.js:74:3) at processTicksAndRejections (internal/process/task_queues.js:80:21) { errno: -104, code: 'ECONNRESET', syscall: 'read' }

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range	Fixed version
`engine.io@3.x.y`	`3.6.1`
`engine.io@6.x.y`	`6.2.1`

For socket.io users:

Version range	`engine.io` version	Needs minor update?
`socket.io@4.5.x`	`~6.2.0`	`npm audit fix` should be sufficient
`socket.io@4.4.x`	`~6.1.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.3.x`	`~6.0.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.2.x`	`~5.2.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.1.x`	`~5.1.1`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.0.x`	`~5.0.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@3.1.x`	`~4.1.0`	Please upgrade to `socket.io@4.5.x` (see here)
`socket.io@3.0.x`	`~4.0.0`	Please upgrade to `socket.io@4.5.x` (see here)
`socket.io@2.5.0`	`~3.6.0`	`npm audit fix` should be sufficient
`socket.io@2.4.x` and below	`~3.5.0`	Please upgrade to `socket.io@2.5.0`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Ссылки

Пакеты

Наименование

engine.io

npm

Затронутые версииВерсия исправления

< 3.6.1

3.6.1

Наименование

engine.io

npm

Затронутые версииВерсия исправления

>= 4.0.0, < 6.2.1

6.2.1

EPSS

Процентиль: 84%

0.0206

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2022-41940

Дефекты

CWE-248

Связанные уязвимости

CVE-2022-41940

CVSS3: 6.5

redhat

около 3 лет назад

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

CVE-2022-41940

CVSS3: 7.1

nvd

около 3 лет назад

EPSS

Процентиль: 84%

0.0206

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2022-41940

Дефекты

CWE-248