Insufficient validation when decoding a Socket.IO packet

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

socketio/socket.io-parser@3b78117, included in socket.io-parser@4.2.3
socketio/socket.io-parser@2dc3c92, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

socketio/socket.io-parser@ee00660, included in `socket.io-parser@3.3.4

`socket.io` version	`socket.io-parser` version	Needs minor update?
`4.5.2...latest`	`~4.2.0` (ref)	`npm audit fix` should be sufficient
`4.1.3...4.5.1`	`~4.1.1` (ref)	Please upgrade to `socket.io@4.6.x`
`3.0.5...4.1.2`	`~4.0.3` (ref)	Please upgrade to `socket.io@4.6.x`
`3.0.0...3.0.4`	`~4.0.1` (ref)	Please upgrade to `socket.io@4.6.x`
`2.3.0...2.5.0`	`~3.4.0` (ref)	`npm audit fix` should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

References

darrachequesne published to socketio/socket.io-parser May 22, 2023

Published to the GitHub Advisory Database May 23, 2023

Reviewed May 23, 2023

Published by the National Vulnerability Database May 27, 2023

Last updated Aug 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

For more information

References

Severity

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code

Credits