Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2023–31125 #3

Open
wants to merge 1 commit into
base: debricked-fix-bulk_fix-1bd13f51e95d799d
Choose a base branch
from
Open

Fix CVE–2023–31125 #3

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented Sep 13, 2023

CVE–2023–31125

Vulnerability details

Description

Uncaught Exception

An exception is thrown from a function, but it is not caught.

NVD

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who use depending packages like socket.io. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

GitHub

engine.io Uncaught Exception vulnerability

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
    at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.6.x ~6.4.0 npm audit fix should be sufficient
socket.io@4.5.x ~6.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.6.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.6.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.6.x
socket.io@4.0.x ~5.0.0 Not impacted
socket.io@3.1.x ~4.1.0 Not impacted
socket.io@3.0.x ~4.0.0 Not impacted
socket.io@2.5.0 ~3.6.0 Not impacted
socket.io@2.4.x and below ~3.5.0 Not impacted

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Thomas Rinsma from Codean for the responsible disclosure.

CVSS details - 6.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
References

    NVD - CVE-2023-31125
    engine.io Uncaught Exception vulnerability · CVE-2023-31125 · GitHub Advisory Database · GitHub
    fix: prevent crash when provided with an invalid query param · socketio/engine.io@fc480b4 · GitHub
    Release 6.4.2 · socketio/engine.io · GitHub
    Uncaught exception in engine.io · Advisory · socketio/engine.io · GitHub
    CVE-2023-31125 Node.js Vulnerability in NetApp Products | NetApp Product Security

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
0 participants