Headline
GHSA-q9mw-68c2-j6m5: engine.io Uncaught Exception vulnerability
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
| Version range | engine.io version | Needs minor update? |
|---|---|---|
[email protected] | ~6.4.0 | npm audit fix should be sufficient |
[email protected] | ~6.2.0 | Please upgrade to [email protected] |
[email protected] | ~6.1.0 | Please upgrade to [email protected] |
[email protected] | ~6.0.0 | Please upgrade to [email protected] |
[email protected] | ~5.2.0 | Please upgrade to [email protected] |
[email protected] | ~5.1.1 | Please upgrade to [email protected] |
[email protected] | ~5.0.0 | Not impacted |
[email protected] | ~4.1.0 | Not impacted |
[email protected] | ~4.0.0 | Not impacted |
[email protected] | ~3.6.0 | Not impacted |
[email protected] and below | ~3.5.0 | Not impacted |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
Version range
engine.io version
Needs minor update?
~6.4.0
npm audit fix should be sufficient
~6.2.0
Please upgrade to [email protected]
~6.1.0
Please upgrade to [email protected]
~6.0.0
Please upgrade to [email protected]
~5.2.0
Please upgrade to [email protected]
~5.1.1
Please upgrade to [email protected]
~5.0.0
Not impacted
~4.1.0
Not impacted
~4.0.0
Not impacted
~3.6.0
Not impacted
[email protected] and below
~3.5.0
Not impacted
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
References
- GHSA-q9mw-68c2-j6m5
- socketio/engine.io@fc480b4
- https://github.com/socketio/engine.io/releases/tag/6.4.2
Related news
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.