An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yN3FwLWNmaHYtcDg0d84AAv_b

Uncaught exception in


A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

      throw er; // Unhandled 'error' event

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'

This impacts all the users of the package, including those who uses depending packages like


A fix has been released today (2022/11/20):

Version range Fixed version
[email protected] 3.6.1
[email protected] 6.2.1

For users:

Version range version Needs minor update?
[email protected] ~6.2.0 npm audit fix should be sufficient
[email protected] ~6.1.0 Please upgrade to [email protected]
[email protected] ~6.0.0 Please upgrade to [email protected]
[email protected] ~5.2.0 Please upgrade to [email protected]
[email protected] ~5.1.1 Please upgrade to [email protected]
[email protected] ~5.0.0 Please upgrade to [email protected]
[email protected] ~4.1.0 Please upgrade to [email protected] (see here)
[email protected] ~4.0.0 Please upgrade to [email protected] (see here)
[email protected] ~3.6.0 npm audit fix should be sufficient
[email protected] and below ~3.5.0 Please upgrade to [email protected]


There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Jonathan Neve for the responsible disclosure.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 4 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-r7qp-cfhv-p84w, CVE-2022-41940

Affected Packages
Versions: >= 4.0.0, < 6.2.1, < 3.6.1
Fixed in: 6.2.1, 3.6.1