CVE-2022-2421

Due to improper type validation in the `socket.io-parser` library (which is used by the `socket.io` and `socket.io-client` packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object. Example: ```js const decoder = new Decoder(); decoder.on(\"decoded\", (packet) => { console.log(packet.data); // prints [ 'hello', [Function: splice] ] }) decoder.add('51-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]'); decoder.add(Buffer.from(\"world\")); ``` This bubbles up in the `socket.io` package: ```js io.on(\"connection\", (socket) => { socket.on(\"hello\", (val) => { // here, \"val\" could be a reference instead of what the user expected }); }); ``` At first sight, the potential impact seems rather limited, but please upgrade to a safe version as soon as possible. This should be fixed by: - https://github.com/socketio/socket....

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.