CVE-2023-32695

Insufficient validation when decoding a Socket.IO packet

Description

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

socket.io versionsocket.io-parser versionNeeds minor update?4.5.2...latest~4.2.0 (ref)npm audit fix should be sufficient4.1.3...4.5.1~4.1.1 (ref)Please upgrade to socket.io@4.6.x3.0.5...4.1.2~4.0.3 (ref)Please upgrade to socket.io@4.6.x3.0.0...3.0.4~4.0.1 (ref)Please upgrade to socket.io@4.6.x2.3.0...2.5.0~3.4.0 (ref)npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

Severity

Ecosystem

JavaScript

Publish Date

May 23, 2023

Modified Date

November 18, 2024

Score Vector

Affected Versions