ghsa-cqmj-92xf-r6r9
Vulnerability from github
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
Patches
A fix has been released today (2023/05/22):
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in
socket.io-parser@4.2.3
- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in
socket.io-parser@3.4.3
Another fix has been released for the 3.3.x
branch:
- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4
| socket.io
version | socket.io-parser
version | Needs minor update? |
|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|
| 4.5.2...latest
| ~4.2.0
(ref) | npm audit fix
should be sufficient |
| 4.1.3...4.5.1
| ~4.1.1
(ref) | Please upgrade to socket.io@4.6.x
|
| 3.0.5...4.1.2
| ~4.0.3
(ref) | Please upgrade to socket.io@4.6.x
|
| 3.0.0...3.0.4
| ~4.0.1
(ref) | Please upgrade to socket.io@4.6.x
|
| 2.3.0...2.5.0
| ~3.4.0
(ref) | npm audit fix
should be sufficient |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open a discussion here
Thanks to @rafax00 for the responsible disclosure.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "socket.io-parser" }, "ranges": [ { "events": [ { "introduced": "4.0.4" }, { "fixed": "4.2.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "socket.io-parser" }, "ranges": [ { "events": [ { "introduced": "3.4.0" }, { "fixed": "3.4.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "socket.io-parser" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.3.4" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-32695" ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-05-23T19:55:13Z", "nvd_published_at": "2023-05-27T16:15:09Z", "severity": "MODERATE" }, "details": "### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n\nAnother fix has been released for the `3.3.x` branch:\n\n- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n", "id": "GHSA-cqmj-92xf-r6r9", "modified": "2024-11-18T16:26:29Z", "published": "2023-05-23T19:55:13Z", "references": [ { "type": "WEB", "url": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695" }, { "type": "WEB", "url": "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9" }, { "type": "WEB", "url": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced" }, { "type": "WEB", "url": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3" }, { "type": "WEB", "url": "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4" }, { "type": "PACKAGE", "url": "https://github.com/socketio/socket.io-parser" }, { "type": "WEB", "url": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Insufficient validation when decoding a Socket.IO packet" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.