CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
48.9%
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = ${{ toString: '' }}
which would cause the NodeJS process to crash when sending an unexpected Socket.io message like socket.emit('find', { toString: '' })
. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
Vendor | Product | Version | CPE |
---|---|---|---|
feathersjs | feathers | * | cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:* |
[
{
"vendor": "feathersjs",
"product": "feathers",
"versions": [
{
"version": "< 4.5.18",
"status": "affected"
},
{
"version": ">= 5.0.0, < 5.0.8",
"status": "affected"
}
]
}
]