GHSA-qm95-pgcg-qqfq: Insufficient validation when decoding a Socket.IO packet

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Example:

const decoder = new Decoder();

decoder.on(\"decoded\", (packet) => { console.log(packet.data); // prints [ 'hello’, [Function: splice] ] })

decoder.add('51-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]'); decoder.add(Buffer.from(\"world\"));

This bubbles up in the socket.io package:

io.on(\"connection\", (socket) => { socket.on(\"hello\", (val) => { // here, \"val\" could be a reference instead of what the user expected }); });

At first sight, the potential impact seems rather limited, but please upgrade to a safe version as soon as possible.

This should be fixed by:

• socketio/socket.io-parser@b5d0cb7, included in [email protected]
• socketio/socket.io-parser@b559f05, included in [email protected]

Dependency analysis for the socket.io package

socket.io version

socket.io-parser version

Covered?

4.5.2…latest

~4.2.0 (ref)

Yes ✔️

4.1.3…4.5.1

~4.0.4 (ref)

Yes ✔️

3.0.5…4.1.2

~4.0.3 (ref)

Yes ✔️

3.0.0…3.0.4

~4.0.1 (ref)

Yes ✔️

Dependency analysis for the socket.io-client package

socket.io-client version

socket.io-parser version

Covered?

4.5.0…latest

~4.2.0 (ref)

Yes ✔️

4.3.0…4.4.1

~4.1.1 (ref)

No, but the impact is very limited

3.1.0…4.2.0

~4.0.4 (ref)

Yes ✔️

3.0.5

~4.0.3 (ref)

Yes ✔️

3.0.0…3.0.4

~4.0.1 (ref)

Yes ✔️

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-2421
• https://csirt.divd.nl/cases/DIVD-2022-00045
• https://csirt.divd.nl/cves/CVE-2022-2421
• socketio/socket.io-parser@b559f05
• socketio/socket.io-parser@b5d0cb7