CVE-2023-37899
Feathers socket handler allows abusing implicit toString
Description
### Impact Feathers socket handler did not catch invalid string conversion errors like: ```ts const message = `${{ toString: '' }}` ``` Causing the NodeJS process to crash when sending an unexpected Socket.io message like ```ts socket.emit('find', { toString: '' }) ``` ### Patches A fix has been released in - `v5.0.8` via #3241 - `v4.5.18` via #3242 ### Workarounds Since it is in the core Socket handling code upgrading to the latest version is necessary. ### References - [v5.0.8 Changelog](https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19) - [v4.5.18 Changelog](https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19)
How to fix CVE-2023-37899
To remediate CVE-2023-37899, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.18 or later
- —upgrade to 4.5.18 or later
Is CVE-2023-37899 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.5.18
- from 0, < 4.5.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |