Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1oaHI5LXJoMjUtaHZmOc4AA00L

Feathers socket handler allows abusing implicit toString

Impact

Feathers socket handler did not catch invalid string conversion errors like:

const message = `${{ toString: '' }}`

Causing the NodeJS process to crash when sending an unexpected Socket.io message like

socket.emit('find', { toString: '' })

Patches

A fix has been released in

• v5.0.8 via #3241
• v4.5.18 via #3242

Workarounds

Since it is in the core Socket handling code upgrading to the latest version is necessary.

References

• v5.0.8 Changelog
• v4.5.18 Changelog

Permalink: https://github.com/advisories/GHSA-hhr9-rh25-hvf9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oaHI5LXJoMjUtaHZmOc4AA00L
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-hhr9-rh25-hvf9, CVE-2023-37899
References:

• https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
• https://nvd.nist.gov/vuln/detail/CVE-2023-37899
• https://github.com/feathersjs/feathers/pull/3241
• https://github.com/feathersjs/feathers/pull/3242
• https://github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8
• https://github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821c
• https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
• https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19
• https://github.com/advisories/GHSA-hhr9-rh25-hvf9

Repository: https://github.com/feathersjs/feathers
Blast Radius: 24.5

Affected Packages