CVE-2023-37899

描述

### Impact Feathers socket handler did not catch invalid string conversion errors like: ```ts const message = `${{ toString: '' }}` ``` Causing the NodeJS process to crash when sending an unexpected Socket.io message like ```ts socket.emit('find', { toString: '' }) ``` ### Patches A fix has been released in - `v5.0.8` via #3241 - `v4.5.18` via #3242 ### Workarounds Since it is in the core Socket handling code upgrading to the latest version is necessary. ### References - [v5.0.8 Changelog](https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19) - [v4.5.18 Changelog](https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19)

如何修補 CVE-2023-37899

要修補 CVE-2023-37899,請將受影響套件升級到下列已修補版本。

• —升級至 4.5.18 或更新版本
• —升級至 4.5.18 或更新版本

CVE-2023-37899 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(2)

• from 0, < 4.5.18
• from 0, < 4.5.18

CVSS 分數

參考連結(9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-37899
• PATCHgithub.com/feathersjs/feathers
• WEBgithub.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
• WEBgithub.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19