Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cGNnLXdyNmMtaDljcc4AAvu9
fastify/websocket vulnerable to uncaught exception via crash on malformed packet
Impact
Any application using @fastify/websocket could crash if a specific, malformed packet is sent.
All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched.
Patches
This has been patched in v7.1.1 (fastify v4) and v5.0.1 (fastify v3).
Workarounds
No known workaround is available. However, it should be possible to attach the error handler manually.
The recommended path is upgrading to the patched versions.
Credits
marcolanaro for finding and patching this vulnerability
For more information
If you have any questions or comments about this advisory:
- Open an issue in @fastify/websocket
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cGNnLXdyNmMtaDljcc4AAvu9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-4pcg-wr6c-h9cq, CVE-2022-39386
References:
- https://github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cq
- https://github.com/fastify/fastify-websocket/releases/tag/v5.0.1
- https://github.com/fastify/fastify-websocket/releases/tag/v7.1.1
- https://nvd.nist.gov/vuln/detail/CVE-2022-39386
- https://github.com/fastify/fastify-websocket/pull/228
- https://github.com/fastify/fastify-websocket/commit/7e8c41a51c101c3d5ce88caee4f71d9c29eb2863
- https://github.com/fastify/fastify-websocket/commit/c24adeb3efd57a18b2f287c35d029e88b5a47194
- https://github.com/advisories/GHSA-4pcg-wr6c-h9cq
Blast Radius: 19.8
Affected Packages
npm:@fastify/websocket
Dependent packages: 73Dependent repositories: 366
Downloads: 623,580 last month
Affected Version Ranges: >= 5.0.0, < 5.0.1, >= 6.0.0, < 7.1.1
Fixed in: 5.0.1, 7.1.1
All affected versions: 5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 7.1.0
All unaffected versions: 5.0.1, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.3.1, 9.0.0, 10.0.0, 10.0.1, 11.0.0
npm:fastify-websocket
Dependent packages: 77Dependent repositories: 436
Downloads: 50,149 last month
Affected Version Ranges: <= 4.3.0
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.1.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0