CVE-2023-38504
HIGH7.5EPSS 0.30%DoS vulnerability for apps with sockets enabled
Published: 7/27/2023Modified: 11/8/2023
Description
### Impact In Sails apps <=v1.5.6, an attacker can send a virtual request that will cause the node process to crash. ### Patches This behavior was fixed in Sails [v1.5.7](https://github.com/balderdashy/sails/releases/tag/v1.5.7) ### Workarounds Disable the sockets hook and remove the `sails.io.js` client ### References https://github.com/balderdashy/sails/pull/7287 Big thanks to @ThomasRinsma at [Codean](https://www.linkedin.com/company/codeanio/)!
Affected packages (1)
- npm/sailsfrom 0, < 1.5.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-38504
- PATCHhttps://github.com/balderdashy/sails
- WEBhttps://github.com/balderdashy/sails/commit/4a023dc5095a4b30fdc8535f705ed34cd22d2f7d
- WEBhttps://github.com/balderdashy/sails/pull/7287
- WEBhttps://github.com/balderdashy/sails/releases/tag/v1.5.7
- WEBhttps://github.com/balderdashy/sails/security/advisories/GHSA-gpw9-fwm8-7rx7