Headline
GHSA-r7qp-cfhv-p84w: Uncaught exception in engine.io
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292
throw er; // Unhandled 'error' event
^
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2022/11/20):
| Version range | Fixed version |
|---|---|
[email protected] | 3.6.1 |
[email protected] | 6.2.1 |
For socket.io users:
| Version range | engine.io version | Needs minor update? |
|---|---|---|
[email protected] | ~6.2.0 | npm audit fix should be sufficient |
[email protected] | ~6.1.0 | Please upgrade to [email protected] |
[email protected] | ~6.0.0 | Please upgrade to [email protected] |
[email protected] | ~5.2.0 | Please upgrade to [email protected] |
[email protected] | ~5.1.1 | Please upgrade to [email protected] |
[email protected] | ~5.0.0 | Please upgrade to [email protected] |
[email protected] | ~4.1.0 | Please upgrade to [email protected] (see here) |
[email protected] | ~4.0.0 | Please upgrade to [email protected] (see here) |
[email protected] | ~3.6.0 | npm audit fix should be sufficient |
[email protected] and below | ~3.5.0 | Please upgrade to [email protected] |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
engine.io
Thanks to Jonathan Neve for the responsible disclosure.
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292
throw er; // Unhandled 'error' event
^
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2022/11/20):
Version range
Fixed version
3.6.1
6.2.1
For socket.io users:
Version range
engine.io version
Needs minor update?
~6.2.0
npm audit fix should be sufficient
~6.1.0
Please upgrade to [email protected]
~6.0.0
Please upgrade to [email protected]
~5.2.0
Please upgrade to [email protected]
~5.1.1
Please upgrade to [email protected]
~5.0.0
Please upgrade to [email protected]
~4.1.0
Please upgrade to [email protected] (see here)
~4.0.0
Please upgrade to [email protected] (see here)
~3.6.0
npm audit fix should be sufficient
[email protected] and below
~3.5.0
Please upgrade to [email protected]
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in engine.io
Thanks to Jonathan Neve for the responsible disclosure.
References
- GHSA-r7qp-cfhv-p84w
Related news
Red Hat Security Advisory 2023-3954-01 - This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, code execution, denial of service, information leakage, resource exhaustion, server-side request forgery, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.