Описание
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = ${{ toString: '' }} which would cause the NodeJS process to crash when sending an unexpected Socket.io message like socket.emit('find', { toString: '' }). A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
Ссылки
- Release Notes
- Release Notes
- Patch
- Patch
- ExploitVendor Advisory
- Release Notes
- Release Notes
- Patch
- Patch
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.5.18 (исключая)Версия от 5.0.0 (включая) до 5.0.8 (исключая)
Одно из
cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*
cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 42%
0.00202
Низкий
7.5 High
CVSS3
Дефекты
CWE-754
Связанные уязвимости
CVSS3: 7.5
github
больше 2 лет назад
Feathers socket handler allows abusing implicit toString
EPSS
Процентиль: 42%
0.00202
Низкий
7.5 High
CVSS3
Дефекты
CWE-754