Insufficient validation when decoding a Socket.IO packet
Moderate severity
GitHub Reviewed
Published
May 22, 2023
in
socketio/socket.io-parser
•
Updated Nov 18, 2024
Package
Affected versions
>= 3.4.0, < 3.4.3
>= 4.0.4, < 4.2.3
< 3.3.4
Patched versions
3.4.3
4.2.3
3.3.4
Description
Published to the GitHub Advisory Database
May 23, 2023
Reviewed
May 23, 2023
Published by the National Vulnerability Database
May 27, 2023
Last updated
Nov 18, 2024
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Patches
A fix has been released today (2023/05/22):
socket.io-parser@4.2.3
socket.io-parser@3.4.3
Another fix has been released for the
3.3.x
branch:socket.io
versionsocket.io-parser
version4.5.2...latest
~4.2.0
(ref)npm audit fix
should be sufficient4.1.3...4.5.1
~4.1.1
(ref)socket.io@4.6.x
3.0.5...4.1.2
~4.0.3
(ref)socket.io@4.6.x
3.0.0...3.0.4
~4.0.1
(ref)socket.io@4.6.x
2.3.0...2.5.0
~3.4.0
(ref)npm audit fix
should be sufficientWorkarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
Thanks to @rafax00 for the responsible disclosure.
References