Insufficient validation when decoding a Socket.IO packet

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

3b78117, included in [email protected]
2dc3c92, included in [email protected]

`socket.io` version	`socket.io-parser` version	Needs minor update?
`4.5.2...latest`	`~4.2.0` (ref)	`npm audit fix` should be sufficient
`4.1.3...4.5.1`	`~4.1.1` (ref)	Please upgrade to `[email protected]`
`3.0.5...4.1.2`	`~4.0.3` (ref)	Please upgrade to `[email protected]`
`3.0.0...3.0.4`	`~4.0.1` (ref)	Please upgrade to `[email protected]`
`2.3.0...2.5.0`	`~3.4.0` (ref)	`npm audit fix` should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Insufficient validation when decoding a Socket.IO packet

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

For more information

Severity

CVE ID

Weaknesses

Credits