Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Well done Mykhailo! #25

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Well done Mykhailo! #25

wants to merge 1 commit into from

Conversation

debricked-staging[bot]
Copy link

CVE–2022–2421

Vulnerability details

Description

NVD

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

GitHub

Insufficient validation when decoding a Socket.IO packet

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Example:

const decoder = new Decoder();

decoder.on(\"decoded\", (packet) => {
 console.log(packet.data); // prints [ 'hello', [Function: splice] ]
 })

decoder.add('51-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]');
decoder.add(Buffer.from(\"world\"));

This bubbles up in the socket.io package:

io.on(\"connection\", (socket) => {
 socket.on(\"hello\", (val) => {
 // here, \"val\" could be a reference instead of what the user expected
 });
 });

At first sight, the potential impact seems rather limited, but please upgrade to a safe version as soon as possible.

This should be fixed by:

Dependency analysis for the socket.io package

socket.io version socket.io-parser version Covered?
4.5.2...latest ~4.2.0 (ref) Yes ✔️
4.1.3...4.5.1 ~4.0.4 (ref) Yes ✔️
3.0.5...4.1.2 ~4.0.3 (ref) Yes ✔️
3.0.0...3.0.4 ~4.0.1 (ref) Yes ✔️

Dependency analysis for the socket.io-client package

socket.io-client version socket.io-parser version Covered?
4.5.0...latest ~4.2.0 (ref) Yes ✔️
4.3.0...4.4.1 ~4.1.1 (ref) No, but the impact is very limited
3.1.0...4.2.0 ~4.0.4 (ref) Yes ✔️
3.0.5 ~4.0.3 (ref) Yes ✔️
3.0.0...3.0.4 ~4.0.1 (ref) Yes ✔️
CVSS details - 9.8

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
References

    THIRD PARTY
    NVD - CVE-2022-2421
    Socket.io - Improper type validation in attachment parsing | DIVD CSIRT
    DIVD-2022-00045 - Injection vulnerability found within Socket.io | DIVD CSIRT
    fix: check the format of the index of each attachment · socketio/socket.io-parser@b559f05 · GitHub
    fix: check the format of the index of each attachment · socketio/socket.io-parser@b5d0cb7 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@debricked-staging debricked-staging bot changed the title Fix vulnerabilities Well done Mykhailo! Nov 7, 2022
@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2022_2421-4b491af48762fd5a branch from aed6436 to 53ea862 Compare November 7, 2022 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
0 participants