Lucene search

GoogleOSV:GHSA-R7QP-CFHV-P84W

HistoryNov 21, 2022 - 11:55 p.m.

Uncaught exception in engine.io

2022-11-2123:55:41

Google

osv.dev

http request

engine.io

node.js

package

security advisory

socket.io

npm audit fix

upgrade

workaround

responsible disclosure

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

0.001 Low

EPSS

Percentile

35.4%

JSON

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range	Fixed version
`[email protected]`	`3.6.1`
`[email protected]`	`6.2.1`

For socket.io users:

Version range	`engine.io` version	Needs minor update?
`[email protected]`	`~6.2.0`	`npm audit fix` should be sufficient
`[email protected]`	`~6.1.0`	Please upgrade to `[email protected]`
`[email protected]`	`~6.0.0`	Please upgrade to `[email protected]`
`[email protected]`	`~5.2.0`	Please upgrade to `[email protected]`
`[email protected]`	`~5.1.1`	Please upgrade to `[email protected]`
`[email protected]`	`~5.0.0`	Please upgrade to `[email protected]`
`[email protected]`	`~4.1.0`	Please upgrade to `[email protected]` (see here)
`[email protected]`	`~4.0.0`	Please upgrade to `[email protected]` (see here)
`[email protected]`	`~3.6.0`	`npm audit fix` should be sufficient
`[email protected]` and below	`~3.5.0`	Please upgrade to `[email protected]`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

CPENameOperatorVersion
engine.iolt6.2.1
engine.ioge4.0.0
engine.iolt3.6.1

Name	Operator	Version
engine.io	lt	6.2.1
engine.io	ge	4.0.0
engine.io	lt	3.6.1

References

github.com/socketio/engine.io

github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6

github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085

github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w

nvd.nist.gov/vuln/detail/CVE-2022-41940

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

0.001 Low

EPSS

Percentile

35.4%

JSON

Related for OSV:GHSA-R7QP-CFHV-P84W