Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yN3FwLWNmaHYtcDg0d84AAv_b
Uncaught exception in engine.io
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292
throw er; // Unhandled 'error' event
^
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2022/11/20):
| Version range | Fixed version |
|---|---|
[email protected] |
3.6.1 |
[email protected] |
6.2.1 |
For socket.io users:
| Version range | engine.io version |
Needs minor update? |
|---|---|---|
[email protected] |
~6.2.0 |
npm audit fix should be sufficient |
[email protected] |
~6.1.0 |
Please upgrade to [email protected] |
[email protected] |
~6.0.0 |
Please upgrade to [email protected] |
[email protected] |
~5.2.0 |
Please upgrade to [email protected] |
[email protected] |
~5.1.1 |
Please upgrade to [email protected] |
[email protected] |
~5.0.0 |
Please upgrade to [email protected] |
[email protected] |
~4.1.0 |
Please upgrade to [email protected] (see here) |
[email protected] |
~4.0.0 |
Please upgrade to [email protected] (see here) |
[email protected] |
~3.6.0 |
npm audit fix should be sufficient |
[email protected] and below |
~3.5.0 |
Please upgrade to [email protected] |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
engine.io
Thanks to Jonathan Neve for the responsible disclosure.
Permalink: https://github.com/advisories/GHSA-r7qp-cfhv-p84wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yN3FwLWNmaHYtcDg0d84AAv_b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 4 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-r7qp-cfhv-p84w, CVE-2022-41940
References:
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
- https://nvd.nist.gov/vuln/detail/CVE-2022-41940
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
- https://github.com/advisories/GHSA-r7qp-cfhv-p84w
Affected Packages
npm:engine.io
Versions: >= 4.0.0, < 6.2.1, < 3.6.1Fixed in: 6.2.1, 3.6.1