CVE-2023-31125
MEDIUM6.5EPSS 1.1%engine.io Uncaught Exception vulnerability
Description
### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. ``` TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') at Server.onWebSocket (build/server.js:515:67) ``` This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2) This bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | `[email protected]` | `~6.4.0` | `npm audit fix` should be sufficient | | `[email protected]` | `~6.2.0` | Please upgrade to `[email protected]` | | `[email protected]` | `~6.1.0` | Please upgrade to `[email protected]` | | `[email protected]` | `~6.0.0` | Please upgrade to `[email protected]` | | `[email protected]` | `~5.2.0` | Please upgrade to `[email protected]` | | `[email protected]` | `~5.1.1` | Please upgrade to `[email protected]` | | `[email protected]` | `~5.0.0` | Not impacted | | `[email protected]` | `~4.1.0` | Not impacted | | `[email protected]` | `~4.0.0` | Not impacted | | `[email protected]` | `~3.6.0` | Not impacted | | `[email protected]` and below | `~3.5.0` | Not impacted | ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: * Open an issue in [`engine.io`](https://github.com/socketio/engine.io) Thanks to Thomas Rinsma from Codean for the responsible disclosure.
Affected packages (1)
- npm/engine.io>= 5.1.0, < 6.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-31125
- PATCHhttps://github.com/socketio/engine.io
- WEBhttps://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44
- WEBhttps://github.com/socketio/engine.io/releases/tag/6.4.2
- WEBhttps://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5
- WEBhttps://security.netapp.com/advisory/ntap-20230622-0002