Search criteria
11 vulnerabilities by socket
CVE-2023-32695 (GCVE-0-2023-32695)
Vulnerability from cvelistv5 – Published: 2023-05-27 15:44 – Updated: 2025-01-13 21:03
VLAI?
Summary
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
Severity ?
7.3 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| socketio | socket.io-parser |
Affected:
>= 4.0.0, < 4.2.3
Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3"
},
{
"name": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T21:03:23.583073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T21:03:34.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "socket.io-parser",
"vendor": "socketio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.2.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-27T15:44:03.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3"
},
{
"name": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3"
}
],
"source": {
"advisory": "GHSA-cqmj-92xf-r6r9",
"discovery": "UNKNOWN"
},
"title": "Insufficient validation when decoding a Socket.IO packet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32695",
"datePublished": "2023-05-27T15:44:03.235Z",
"dateReserved": "2023-05-11T16:33:45.733Z",
"dateUpdated": "2025-01-13T21:03:34.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31125 (GCVE-0-2023-31125)
Vulnerability from cvelistv5 – Published: 2023-05-08 20:21 – Updated: 2025-02-13 16:49
VLAI?
Summary
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.
Severity ?
6.5 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5"
},
{
"name": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44"
},
{
"name": "https://github.com/socketio/engine.io/releases/tag/6.4.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/releases/tag/6.4.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230622-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:56:37.468525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T14:56:45.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engine.io",
"vendor": "socketio",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 6.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T14:06:49.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5"
},
{
"name": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44"
},
{
"name": "https://github.com/socketio/engine.io/releases/tag/6.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/releases/tag/6.4.2"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230622-0002/"
}
],
"source": {
"advisory": "GHSA-q9mw-68c2-j6m5",
"discovery": "UNKNOWN"
},
"title": "Uncaught exception in engine.io"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31125",
"datePublished": "2023-05-08T20:21:01.341Z",
"dateReserved": "2023-04-24T21:44:10.415Z",
"dateUpdated": "2025-02-13T16:49:44.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41940 (GCVE-0-2022-41940)
Vulnerability from cvelistv5 – Published: 2022-11-22 00:00 – Updated: 2025-04-22 16:02
VLAI?
Summary
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Severity ?
7.1 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41940",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:28.524567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:02:20.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engine.io",
"vendor": "socketio",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.1"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 6.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w"
},
{
"url": "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6"
},
{
"url": "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085"
}
],
"source": {
"advisory": "GHSA-r7qp-cfhv-p84w",
"discovery": "UNKNOWN"
},
"title": "Uncaught exception in engine.io "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41940",
"datePublished": "2022-11-22T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-22T16:02:20.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2421 (GCVE-0-2022-2421)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:40
VLAI?
Summary
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Severity ?
10 (Critical)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Socket.io | Socket.io-Parser |
Affected:
4.x , < 4.2.1
(custom)
|
Credits
Thomas Rinsma (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-2421"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00045"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T14:40:01.867350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T14:40:37.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Socket.io-Parser",
"vendor": "Socket.io",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object."
}
],
"value": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:40:55.218Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-2421"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00045"
}
],
"source": {
"advisory": "DIVD-2022-00045",
"discovery": "EXTERNAL"
},
"title": "Socket.io - Improper type validation in attachment parsing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-2421",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2025-03-11T13:40:55.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25867 (GCVE-0-2022-25867)
Vulnerability from cvelistv5 – Published: 2022-08-02 13:28 – Updated: 2024-09-16 22:25
VLAI?
Summary
The package io.socket:socket.io-client before 2.0.1 are vulnerable to NULL Pointer Dereference when parsing a packet with with invalid payload format.
Severity ?
CWE
- NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | io.socket:socket.io-client |
Affected:
unspecified , < 2.0.1
(custom)
|
Credits
Andrei Nikonov
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOSOCKET-2949738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-client-java/issues/508%23issuecomment-1179817361"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-client-java/releases/tag/socket.io-client-2.0.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "io.socket:socket.io-client",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andrei Nikonov"
}
],
"datePublic": "2022-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package io.socket:socket.io-client before 2.0.1 are vulnerable to NULL Pointer Dereference when parsing a packet with with invalid payload format."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NULL Pointer Dereference",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-02T13:28:24",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOSOCKET-2949738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-client-java/issues/508%23issuecomment-1179817361"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-client-java/releases/tag/socket.io-client-2.0.1"
}
],
"title": "NULL Pointer Dereference",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-08-02T13:21:08.845449Z",
"ID": "CVE-2022-25867",
"STATE": "PUBLIC",
"TITLE": "NULL Pointer Dereference"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "io.socket:socket.io-client",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Andrei Nikonov"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package io.socket:socket.io-client before 2.0.1 are vulnerable to NULL Pointer Dereference when parsing a packet with with invalid payload format."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.snyk.io/vuln/SNYK-JAVA-IOSOCKET-2949738",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOSOCKET-2949738"
},
{
"name": "https://github.com/socketio/socket.io-client-java/issues/508%23issuecomment-1179817361",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io-client-java/issues/508%23issuecomment-1179817361"
},
{
"name": "https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"
},
{
"name": "https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"
},
{
"name": "https://github.com/socketio/socket.io-client-java/releases/tag/socket.io-client-2.0.1",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io-client-java/releases/tag/socket.io-client-2.0.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25867",
"datePublished": "2022-08-02T13:28:24.215901Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-09-16T22:25:32.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21676 (GCVE-0-2022-21676)
Vulnerability from cvelistv5 – Published: 2022-01-12 18:25 – Updated: 2025-04-23 19:13
VLAI?
Summary
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.
Severity ?
7.5 (High)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/releases/tag/4.1.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/releases/tag/5.2.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/releases/tag/6.1.1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220209-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:58:14.583594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:13:15.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engine.io",
"vendor": "socketio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.2"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.2.1"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T23:06:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/releases/tag/4.1.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/releases/tag/5.2.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/releases/tag/6.1.1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220209-0002/"
}
],
"source": {
"advisory": "GHSA-273r-mgr4-v34f",
"discovery": "UNKNOWN"
},
"title": "Uncaught Exception in engine.io",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21676",
"STATE": "PUBLIC",
"TITLE": "Uncaught Exception in engine.io"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "engine.io",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.1.2"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.2.1"
},
{
"version_value": "\u003e= 6.0.0, \u003c 6.1.1"
}
]
}
}
]
},
"vendor_name": "socketio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f",
"refsource": "CONFIRM",
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f"
},
{
"name": "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab"
},
{
"name": "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db"
},
{
"name": "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c"
},
{
"name": "https://github.com/socketio/engine.io/releases/tag/4.1.2",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/releases/tag/4.1.2"
},
{
"name": "https://github.com/socketio/engine.io/releases/tag/5.2.1",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/releases/tag/5.2.1"
},
{
"name": "https://github.com/socketio/engine.io/releases/tag/6.1.1",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/releases/tag/6.1.1"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220209-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220209-0002/"
}
]
},
"source": {
"advisory": "GHSA-273r-mgr4-v34f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21676",
"datePublished": "2022-01-12T18:25:15.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:13:15.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28481 (GCVE-0-2020-28481)
Vulnerability from cvelistv5 – Published: 2021-01-19 14:45 – Updated: 2024-09-16 20:11
VLAI?
Summary
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Severity ?
CWE
- Insecure Defaults
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
ni8walk3r
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/issues/3671"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "socket.io",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ni8walk3r"
}
],
"datePublic": "2021-01-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Defaults",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T14:45:16",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/issues/3671"
}
],
"title": "Insecure Defaults",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-01-19T14:44:58.073500Z",
"ID": "CVE-2020-28481",
"STATE": "PUBLIC",
"TITLE": "Insecure Defaults"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "socket.io",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ni8walk3r"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Defaults"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"name": "https://github.com/socketio/socket.io/issues/3671",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/issues/3671"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-28481",
"datePublished": "2021-01-19T14:45:17.064568Z",
"dateReserved": "2020-11-12T00:00:00",
"dateUpdated": "2024-09-16T20:11:33.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36048 (GCVE-0-2020-36048)
Vulnerability from cvelistv5 – Published: 2021-01-07 23:24 – Updated: 2024-08-04 17:16
VLAI?
Summary
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:16:14.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.caller.xyz/socketio-engineio-dos/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bcaller/kill-engine-io"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-07T23:24:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.caller.xyz/socketio-engineio-dos/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bcaller/kill-engine-io"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b"
},
{
"name": "https://blog.caller.xyz/socketio-engineio-dos/",
"refsource": "MISC",
"url": "https://blog.caller.xyz/socketio-engineio-dos/"
},
{
"name": "https://github.com/bcaller/kill-engine-io",
"refsource": "MISC",
"url": "https://github.com/bcaller/kill-engine-io"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36048",
"datePublished": "2021-01-07T23:24:33",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-08-04T17:16:14.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36049 (GCVE-0-2020-36049)
Vulnerability from cvelistv5 – Published: 2021-01-07 23:24 – Updated: 2024-08-04 17:16
VLAI?
Summary
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:16:14.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.caller.xyz/socketio-engineio-dos/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bcaller/kill-engine-io"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-07T23:24:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.caller.xyz/socketio-engineio-dos/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bcaller/kill-engine-io"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36049",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.caller.xyz/socketio-engineio-dos/",
"refsource": "MISC",
"url": "https://blog.caller.xyz/socketio-engineio-dos/"
},
{
"name": "https://github.com/bcaller/kill-engine-io",
"refsource": "MISC",
"url": "https://github.com/bcaller/kill-engine-io"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36049",
"datePublished": "2021-01-07T23:24:23",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-08-04T17:16:14.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16031 (GCVE-0-2017-16031)
Vulnerability from cvelistv5 – Published: 2018-06-04 19:00 – Updated: 2024-09-16 21:07
VLAI?
Summary
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Severity ?
No CVSS data available.
CWE
- Account Hijacking
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | socket.io node module |
Affected:
<=0.9.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:06.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "socket.io node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.9.6"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Account Hijacking",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-04T18:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16031",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "socket.io node module",
"version": {
"version_data": [
{
"version_value": "\u003c=0.9.6"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Account Hijacking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"name": "https://github.com/socketio/socket.io/issues/856",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"name": "https://github.com/socketio/socket.io/pull/857",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"name": "https://nodesecurity.io/advisories/321",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16031",
"datePublished": "2018-06-04T19:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T21:07:25.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10536 (GCVE-0-2016-10536)
Vulnerability from cvelistv5 – Published: 2018-05-31 20:00 – Updated: 2024-09-17 01:46
VLAI?
Summary
engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off.
Severity ?
No CVSS data available.
CWE
- CWE-300 - Man-in-the-Middle (CWE-300)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | engine.io-client node module |
Affected:
<= 1.6.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cigital.com/blog/node-js-socket-io/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/99"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "engine.io-client node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.6.8"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-300",
"description": "Man-in-the-Middle (CWE-300)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-31T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cigital.com/blog/node-js-socket-io/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/99"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2016-10536",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "engine.io-client node module",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.6.8"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Man-in-the-Middle (CWE-300)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cigital.com/blog/node-js-socket-io/",
"refsource": "MISC",
"url": "https://www.cigital.com/blog/node-js-socket-io/"
},
{
"name": "https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1",
"refsource": "MISC",
"url": "https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1"
},
{
"name": "https://nodesecurity.io/advisories/99",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/99"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-10536",
"datePublished": "2018-05-31T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-17T01:46:42.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}