Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hhr9-rh25-hvf9: Feathers socket handler allows abusing implicit toString

Impact

Feathers socket handler did not catch invalid string conversion errors like:

const message = `${{ toString: '' }}`

Causing the NodeJS process to crash when sending an unexpected Socket.io message like

socket.emit('find', { toString: '' })

Patches

A fix has been released in

  • v5.0.8 via #3241
  • v4.5.18 via #3242

Workarounds

Since it is in the core Socket handling code upgrading to the latest version is necessary.

References

ghsa
#vulnerability#web#nodejs#js#git

Skip to content

Sign up

CVE-2023-37899

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

Explore

*   All features
*   Documentation
*   GitHub Skills
*   Blog
  • For

    • Enterprise
    • Teams
    • Startups
    • Education

    By Solution

    • CI/CD & Automation
    • DevOps
    • DevSecOps

    Resources

    • Customer Stories
    • White papers, Ebooks, Webinars
    • Partners
    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

Repositories

*   Topics
*   Trending
*   Collections
  • Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches****Use saved searches to filter your results more quickly

Sign in

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-37899

Feathers socket handler allows abusing implicit toString

High severity GitHub Reviewed Published Jul 19, 2023 in feathersjs/feathers

Vulnerability details Dependabot alerts 0

Package

npm @feathersjs/socketio (npm)

Affected versions

<= 4.5.17

>= 5.0.0, <= 5.0.7

Patched versions

4.5.18

5.0.8

npm @feathersjs/transport-commons (npm)

<= 4.5.17

>= 5.0.0, <= 5.0.7

4.5.18

5.0.8

Description

Impact

Feathers socket handler did not catch invalid string conversion errors like:

const message = `${{ toString: ‘’ }}`

Causing the NodeJS process to crash when sending an unexpected Socket.io message like

socket.emit('find’, { toString: ‘’ })

Patches

A fix has been released in

  • v5.0.8 via #3241
  • v4.5.18 via #3242

Workarounds

Since it is in the core Socket handling code upgrading to the latest version is necessary.

References

  • v5.0.8 Changelog
  • v4.5.18 Changelog

References

  • GHSA-hhr9-rh25-hvf9
  • https://nvd.nist.gov/vuln/detail/CVE-2023-37899
  • feathersjs/feathers#3241
  • feathersjs/feathers#3242
  • feathersjs/feathers@0b9a6b1
  • feathersjs/feathers@c397ab3
  • https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
  • https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19

daffl published to feathersjs/feathers

Jul 19, 2023

Published to the GitHub Advisory Database

Jul 20, 2023

Reviewed

Jul 20, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CWE-754

CVE ID

CVE-2023-37899

GHSA ID

GHSA-hhr9-rh25-hvf9

Source code

feathersjs/feathers

Credits

  • CodeanIO Reporter

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2023-37899: fix(transport-commons): Handle invalid service paths on socket lookups by daffl · Pull Request #3242 · feathersjs/feathers

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.