Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
Patches
A fix has been released today (2023/05/22):
- 3b78117, included in
socket.io-parser@4.2.3
- 2dc3c92, included in
socket.io-parser@3.4.3
socket.io version |
socket.io-parser version |
Needs minor update? |
4.5.2...latest |
~4.2.0 (ref) |
npm audit fix should be sufficient |
4.1.3...4.5.1 |
~4.1.1 (ref) |
Please upgrade to socket.io@4.6.x |
3.0.5...4.1.2 |
~4.0.3 (ref) |
Please upgrade to socket.io@4.6.x |
3.0.0...3.0.4 |
~4.0.1 (ref) |
Please upgrade to socket.io@4.6.x |
2.3.0...2.5.0 |
~3.4.0 (ref) |
npm audit fix should be sufficient |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
Thanks to @rafax00 for the responsible disclosure.
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
Patches
A fix has been released today (2023/05/22):
socket.io-parser@4.2.3socket.io-parser@3.4.3socket.ioversionsocket.io-parserversion4.5.2...latest~4.2.0(ref)npm audit fixshould be sufficient4.1.3...4.5.1~4.1.1(ref)socket.io@4.6.x3.0.5...4.1.2~4.0.3(ref)socket.io@4.6.x3.0.0...3.0.4~4.0.1(ref)socket.io@4.6.x2.3.0...2.5.0~3.4.0(ref)npm audit fixshould be sufficientWorkarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
Thanks to @rafax00 for the responsible disclosure.