Headline
CVE-2023-32695: Release 4.2.3 · socketio/socket.io-parser
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
⚠️ This release contains an important security fix ⚠️
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
Please upgrade as soon as possible.
Bug Fixes
- check the format of the event name (3b78117)
Links
- Diff: 4.2.2…4.2.3
Related news
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at .../node_modules/socket.io/lib/socket.js:531:14 ``` ### Patches A fix has been released today (2023/05/22): - https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `[email protected]` - https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `[email protected]` | `socket.io` version | `socket.io-parser` version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | `4.5.2...latest` | `~4.2.0`...