logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-31125 engine.io

Package

Manager: npm
Name: engine.io
Vulnerable Version: >=5.1.0 <6.4.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00609 pctl0.68795

Details

engine.io Uncaught Exception vulnerability ### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. ``` TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') at Server.onWebSocket (build/server.js:515:67) ``` This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2) This bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | `socket.io@4.6.x` | `~6.4.0` | `npm audit fix` should be sufficient | | `socket.io@4.5.x` | `~6.2.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.4.x` | `~6.1.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.3.x` | `~6.0.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.2.x` | `~5.2.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.1.x` | `~5.1.1` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.0.x` | `~5.0.0` | Not impacted | | `socket.io@3.1.x` | `~4.1.0` | Not impacted | | `socket.io@3.0.x` | `~4.0.0` | Not impacted | | `socket.io@2.5.0` | `~3.6.0` | Not impacted | | `socket.io@2.4.x` and below | `~3.5.0` | Not impacted | ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: * Open an issue in [`engine.io`](https://github.com/socketio/engine.io) Thanks to Thomas Rinsma from Codean for the responsible disclosure.

Metadata

Created: 2023-05-03T21:56:51Z
Modified: 2025-02-13T18:54:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-q9mw-68c2-j6m5/GHSA-q9mw-68c2-j6m5.json
CWE IDs: ["CWE-248"]
Alternative ID: GHSA-q9mw-68c2-j6m5
Finding: F140
Auto approve: 1