ghsa-cqmj-92xf-r6r9
Vulnerability from github
Published
2023-05-23 19:55
Modified
2024-11-18 16:26
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
Insufficient validation when decoding a Socket.IO packet
Details

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

  • https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
  • https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

  • https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

| socket.io version | socket.io-parser version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | 4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient | | 4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x | | 2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Show details on source website

To clipboard 

{
   affected: [
      {
         package: {
            ecosystem: "npm",
            name: "socket.io-parser",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "4.0.4",
                  },
                  {
                     fixed: "4.2.3",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "npm",
            name: "socket.io-parser",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "3.4.0",
                  },
                  {
                     fixed: "3.4.3",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "npm",
            name: "socket.io-parser",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "3.3.4",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2023-32695",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-20",
         "CWE-754",
      ],
      github_reviewed: true,
      github_reviewed_at: "2023-05-23T19:55:13Z",
      nvd_published_at: "2023-05-27T16:15:09Z",
      severity: "MODERATE",
   },
   details: "### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n       at Socket.emit (node:events:507:25)\n       at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n\nAnother fix has been released for the `3.3.x` branch:\n\n- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4\n\n| `socket.io` version | `socket.io-parser` version                                                                              | Needs minor update?                  |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest`    | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1`     | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x`  |\n| `3.0.5...4.1.2`     | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x`  |\n| `3.0.0...3.0.4`     | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x`  |\n| `2.3.0...2.5.0`     | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n",
   id: "GHSA-cqmj-92xf-r6r9",
   modified: "2024-11-18T16:26:29Z",
   published: "2023-05-23T19:55:13Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32695",
      },
      {
         type: "WEB",
         url: "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9",
      },
      {
         type: "WEB",
         url: "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced",
      },
      {
         type: "WEB",
         url: "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3",
      },
      {
         type: "WEB",
         url: "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/socketio/socket.io-parser",
      },
      {
         type: "WEB",
         url: "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
         type: "CVSS_V3",
      },
      {
         score: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
         type: "CVSS_V4",
      },
   ],
   summary: "Insufficient validation when decoding a Socket.IO packet",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.