Lucene search

GitHub Advisory DatabaseGHSA-R7QP-CFHV-P84W

HistoryNov 21, 2022 - 11:55 p.m.

Uncaught exception in engine.io

2022-11-2123:55:41

CWE-248

GitHub Advisory Database

github.com

100

http request

exception

node.js

patch

socket.io

upgrade

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

0.001 Low

EPSS

Percentile

35.4%

JSON

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range	Fixed version
`[email protected]`	`3.6.1`
`[email protected]`	`6.2.1`

For socket.io users:

Version range	`engine.io` version	Needs minor update?
`[email protected]`	`~6.2.0`	`npm audit fix` should be sufficient
`[email protected]`	`~6.1.0`	Please upgrade to `[email protected]`
`[email protected]`	`~6.0.0`	Please upgrade to `[email protected]`
`[email protected]`	`~5.2.0`	Please upgrade to `[email protected]`
`[email protected]`	`~5.1.1`	Please upgrade to `[email protected]`
`[email protected]`	`~5.0.0`	Please upgrade to `[email protected]`
`[email protected]`	`~4.1.0`	Please upgrade to `[email protected]` (see here)
`[email protected]`	`~4.0.0`	Please upgrade to `[email protected]` (see here)
`[email protected]`	`~3.6.0`	`npm audit fix` should be sufficient
`[email protected]` and below	`~3.5.0`	Please upgrade to `[email protected]`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Affected configurations

Vulners

Node

engine.ioclientRange4.0.0≥

engine.ioclientRange<6.2.1

engine.ioclientRange<3.6.1

CPENameOperatorVersion
engine.ioge4.0.0
engine.iolt6.2.1
engine.iolt3.6.1

Name	Operator	Version
engine.io	ge	4.0.0
engine.io	lt	6.2.1
engine.io	lt	3.6.1

References

github.com/advisories/GHSA-r7qp-cfhv-p84w

github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6

github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085

github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w

nvd.nist.gov/vuln/detail/CVE-2022-41940

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

0.001 Low

EPSS

Percentile

35.4%

JSON

Related for GHSA-R7QP-CFHV-P84W