logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-21676 engine.io

Package

Manager: npm
Name: engine.io
Vulnerable Version: >=4.0.0 <4.1.2 || >=5.0.0 <5.2.1 || >=6.0.0 <6.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04082 pctl0.88112

Details

Uncaught Exception in engine.io ### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. > RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear > at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) > at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) > at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) > at writeOrBuffer (internal/streams/writable.js:358:12) This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package starting from version `4.0.0`, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released for each major branch: | Version range | Fixed version | | --- | --- | | `engine.io@4.x.x` | `4.1.2` | | `engine.io@5.x.x` | `5.2.1` | | `engine.io@6.x.x` | `6.1.1` | Previous versions (`< 4.0.0`) are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | | --- | --- | --- | | `socket.io@4.4.x` | `~6.1.0` | - | `socket.io@4.3.x` | `~6.0.0` | Please upgrade to `socket.io@4.4.x` | `socket.io@4.2.x` | `~5.2.0` | - | `socket.io@4.1.x` | `~5.1.1` | Please upgrade to `socket.io@4.4.x` | `socket.io@4.0.x` | `~5.0.0` | Please upgrade to `socket.io@4.4.x` | `socket.io@3.1.x` | `~4.1.0` | - | `socket.io@3.0.x` | `~4.0.0` | Please upgrade to `socket.io@3.1.x` or `socket.io@4.4.x` (see [here](https://socket.io/docs/v4/migrating-from-3-x-to-4-0/)) In most cases, running `npm audit fix` should be sufficient. You can also use `npm update engine.io --depth=9999`. ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: * Open an issue in [`engine.io`](https://github.com/socketio/engine.io) Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Metadata

Created: 2022-01-13T16:14:17Z
Modified: 2022-01-21T13:25:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-273r-mgr4-v34f/GHSA-273r-mgr4-v34f.json
CWE IDs: ["CWE-754", "CWE-755"]
Alternative ID: GHSA-273r-mgr4-v34f
Finding: F096
Auto approve: 1