Skip to content

Insufficient validation when decoding a Socket.IO packet

High
darrachequesne published GHSA-cqmj-92xf-r6r9 May 22, 2023

Package

npm socket.io-parser (npm)

Affected versions

>= 4.0.4, < 4.2.3
>= 3.4.0, < 3.4.3

Patched versions

4.2.3
3.4.3

Description

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to [email protected]
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to [email protected]
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to [email protected]
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Severity

High

CVE ID

CVE-2023-32695

Weaknesses

No CWEs

Credits