CVE-2022-39386

Description

### Impact Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. ### Patches This has been patched in v7.1.1 (fastify v4) and v5.0.1 (fastify v3). ### Workarounds No known workaround is available. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions. ## Credits [marcolanaro](https://github.com/marcolanaro) for finding and patching this vulnerability ### For more information If you have any questions or comments about this advisory: * Open an issue in [@fastify/websocket](https://github.com/fastify/fastify-websocket) * Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2022-39386

To remediate CVE-2022-39386, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.1 or later
• —no fix listed

Is CVE-2022-39386 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 5.0.0, < 5.0.1
• from 0, <= 4.3.0

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-39386
• PATCHgithub.com/fastify/fastify-websocket
• WEBgithub.com/fastify/fastify-websocket/commit/7e8c41a51c101c3d5ce88caee4f71d9c29eb2863
• WEBgithub.com/fastify/fastify-websocket/commit/c24adeb3efd57a18b2f287c35d029e88b5a47194