GHSA-cqmj-92xf-r6r9: Insufficient validation when decoding a Socket.IO packet

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-32695

Insufficient validation when decoding a Socket.IO packet

Package

npm socket.io-parser (npm)

Affected versions

>= 4.0.0, < 4.2.3

>= 3.4.0, < 3.4.3

Patched versions

4.2.3

3.4.3

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

• socketio/socket.io-parser@3b78117, included in [email protected]
• socketio/socket.io-parser@2dc3c92, included in [email protected]

socket.io version

socket.io-parser version

Needs minor update?

4.5.2…latest

~4.2.0 (ref)

npm audit fix should be sufficient

4.1.3…4.5.1

~4.1.1 (ref)

Please upgrade to [email protected]

3.0.5…4.1.2

~4.0.3 (ref)

Please upgrade to [email protected]

3.0.0…3.0.4

~4.0.1 (ref)

Please upgrade to [email protected]

2.3.0…2.5.0

~3.4.0 (ref)

npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

• Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

References

• GHSA-cqmj-92xf-r6r9
• socketio/socket.io-parser@2dc3c92
• socketio/socket.io-parser@3b78117

Published to the GitHub Advisory Database

May 23, 2023