Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
References
Link | Resource |
---|---|
https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6 | Patch Third Party Advisory |
https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085 | Patch Third Party Advisory |
https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2022-11-22 01:15
Updated : 2024-02-28 19:51
NVD link : CVE-2022-41940
Mitre link : CVE-2022-41940
CVE.ORG link : CVE-2022-41940
JSON object : View
Products Affected
socket
- engine.io
CWE
CWE-248
Uncaught Exception