cvelistv5 - cve-2023-31125

URL	Tags
security-advisories@github.com	https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44	Patch
security-advisories@github.com	https://github.com/socketio/engine.io/releases/tag/6.4.2	Release Notes
security-advisories@github.com	https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5	Vendor Advisory
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20230622-0002/

▼	Vendor	Product
	socketio	engine.io

gsd-2023-31125

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

Aliases

CVE-2023-31125

Aliases

CVE-2023-31125

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-31125",
    "id": "GSD-2023-31125"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-31125"
      ],
      "details": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.\n",
      "id": "GSD-2023-31125",
      "modified": "2023-12-13T01:20:30.248283Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-31125",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "engine.io",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 5.1.0, \u003c 6.4.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "socketio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-248",
                "lang": "eng",
                "value": "CWE-248: Uncaught Exception"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5",
            "refsource": "MISC",
            "url": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5"
          },
          {
            "name": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44",
            "refsource": "MISC",
            "url": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44"
          },
          {
            "name": "https://github.com/socketio/engine.io/releases/tag/6.4.2",
            "refsource": "MISC",
            "url": "https://github.com/socketio/engine.io/releases/tag/6.4.2"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20230622-0002/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20230622-0002/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-q9mw-68c2-j6m5",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.1.0 \u003c6.4.2",
          "affected_versions": "All versions starting from 5.1.0 before 6.4.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-248",
            "CWE-937"
          ],
          "date": "2023-06-22",
          "description": "A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot read properties of undefined (reading \u0027handlesUpgrades\u0027)\n at Server.onWebSocket (build/server.js:515:67)\n```\n\nThis impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io).\n\n A fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2) \n\nThis bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted.\n\nFor `socket.io` users:\n\n - `socket.io@4.6.x` `~6.4.0` `npm audit fix` should be sufficient\n - `socket.io@4.5.x` `~6.2.0` Please upgrade to `socket.io@4.6.x`\n - `socket.io@4.4.x` `~6.1.0` Please upgrade to `socket.io@4.6.x`\n - `socket.io@4.3.x` `~6.0.0` Please upgrade to `socket.io@4.6.x`\n - `socket.io@4.2.x` `~5.2.0` Please upgrade to `socket.io@4.6.x`\n - `socket.io@4.1.x` `~5.1.1` Please upgrade to `socket.io@4.6.x`\n - `socket.io@4.0.x` `~5.0.0` Not impacted\n - `socket.io@3.1.x` `~4.1.0` Not impacted\n - `socket.io@3.0.x` `~4.0.0` Not impacted\n - `socket.io@2.5.0` `~3.6.0` Not impacted\n - `socket.io@2.4.x` and below `~3.5.0` Not impacted \n\n There is no known workaround except upgrading to a safe version.\n\n If you have any questions or comments about this advisory open an issue in [`engine.io`](https://github.com/socketio/engine.io)\n\n Thanks to Thomas Rinsma from Codean for the responsible disclosure.\n",
          "fixed_versions": [
            "6.4.2"
          ],
          "identifier": "CVE-2023-31125",
          "identifiers": [
            "CVE-2023-31125",
            "GHSA-q9mw-68c2-j6m5"
          ],
          "not_impacted": "All versions before 5.1.0, all versions starting from 6.4.2",
          "package_slug": "npm/engine.io",
          "pubdate": "2023-05-08",
          "solution": "Upgrade to version 6.4.2 or above.",
          "title": "engine.io Uncaught Exception vulnerability",
          "urls": [
            "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5",
            "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44",
            "https://github.com/socketio/engine.io/releases/tag/6.4.2",
            "https://github.com/advisories/GHSA-q9mw-68c2-j6m5"
          ],
          "uuid": "3f0f8972-bf1d-41c7-9118-644df8481d60"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:socket:engine.io:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.4.2",
                "versionStartIncluding": "5.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-31125"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-248"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/socketio/engine.io/releases/tag/6.4.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/socketio/engine.io/releases/tag/6.4.2"
            },
            {
              "name": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44"
            },
            {
              "name": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20230622-0002/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://security.netapp.com/advisory/ntap-20230622-0002/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-06-22T15:15Z",
      "publishedDate": "2023-05-08T21:15Z"
    }
  }
}

wid-sec-w-2023-1800

Vulnerability from csaf_certbund

Published

2023-07-18 22:00

Modified

2023-07-18 22:00

Summary

HCL BigFix: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebUI ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebUI ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1800 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1800.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1800 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1800"
      },
      {
        "category": "external",
        "summary": "HCL Security Advisory vom 2023-07-18",
        "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0106123"
      }
    ],
    "source_lang": "en-US",
    "title": "HCL BigFix: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-07-18T22:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:37:13.875+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-1800",
      "initial_release_date": "2023-07-18T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-07-18T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "HCL BigFix WebUI",
            "product": {
              "name": "HCL BigFix WebUI",
              "product_id": "T023767",
              "product_identification_helper": {
                "cpe": "cpe:/a:hcltech:bigfix:webui"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "HCL"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32695",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-32695"
    },
    {
      "cve": "CVE-2023-31125",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-31125"
    },
    {
      "cve": "CVE-2023-30533",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-30533"
    },
    {
      "cve": "CVE-2023-28155",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-28155"
    },
    {
      "cve": "CVE-2023-28023",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-28023"
    },
    {
      "cve": "CVE-2023-28021",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-28021"
    },
    {
      "cve": "CVE-2023-28020",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-28020"
    },
    {
      "cve": "CVE-2023-28019",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2023-28019"
    },
    {
      "cve": "CVE-2021-43138",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023767"
        ]
      },
      "release_date": "2023-07-18T22:00:00Z",
      "title": "CVE-2021-43138"
    }
  ]
}

ghsa-q9mw-68c2-j6m5

Vulnerability from github

Published

2023-05-03 21:56

Modified

2023-05-09 16:32

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

engine.io Uncaught Exception vulnerability

Details

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.6.x | ~6.4.0 | npm audit fix should be sufficient | | socket.io@4.5.x | ~6.2.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.6.x | | socket.io@4.0.x | ~5.0.0 | Not impacted | | socket.io@3.1.x | ~4.1.0 | Not impacted | | socket.io@3.0.x | ~4.0.0 | Not impacted | | socket.io@2.5.0 | ~3.6.0 | Not impacted | | socket.io@2.4.x and below | ~3.5.0 | Not impacted |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Thomas Rinsma from Codean for the responsible disclosure.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "engine.io"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "6.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-03T21:56:51Z",
    "nvd_published_at": "2023-05-08T21:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot read properties of undefined (reading \u0027handlesUpgrades\u0027)\n    at Server.onWebSocket (build/server.js:515:67)\n```\n\nThis impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io).\n\n### Patches\n\nA fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2)\n\nThis bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted.\n\nFor `socket.io` users:\n\n| Version range               | `engine.io` version | Needs minor update?                                                                                    |\n|-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------|\n| `socket.io@4.6.x`           | `~6.4.0`            | `npm audit fix` should be sufficient                                                                   |\n| `socket.io@4.5.x`           | `~6.2.0`            | Please upgrade to `socket.io@4.6.x`                                                                    |\n| `socket.io@4.4.x`           | `~6.1.0`            | Please upgrade to `socket.io@4.6.x`                                                                    |\n| `socket.io@4.3.x`           | `~6.0.0`            | Please upgrade to `socket.io@4.6.x`                                                                    |\n| `socket.io@4.2.x`           | `~5.2.0`            | Please upgrade to `socket.io@4.6.x`                                                                    |\n| `socket.io@4.1.x`           | `~5.1.1`            | Please upgrade to `socket.io@4.6.x`                                                                    |\n| `socket.io@4.0.x`           | `~5.0.0`            | Not impacted |\n| `socket.io@3.1.x`           | `~4.1.0`            | Not impacted |\n| `socket.io@3.0.x`           | `~4.0.0`            | Not impacted |\n| `socket.io@2.5.0`           | `~3.6.0`            | Not impacted |\n| `socket.io@2.4.x` and below | `~3.5.0`            | Not impacted |\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`engine.io`](https://github.com/socketio/engine.io)\n\nThanks to Thomas Rinsma from Codean for the responsible disclosure.\n",
  "id": "GHSA-q9mw-68c2-j6m5",
  "modified": "2023-05-09T16:32:21Z",
  "published": "2023-05-03T21:56:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/socketio/engine.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/socketio/engine.io/releases/tag/6.4.2"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230622-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "engine.io Uncaught Exception vulnerability"
}

cve-2023-31125

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2023-31125

Vulnerability from cvelistv5

gsd-2023-31125

Vulnerability from gsd

wid-sec-w-2023-1800

Vulnerability from csaf_certbund

ghsa-q9mw-68c2-j6m5

Vulnerability from github

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature