===================================================================== CERT-Renater Note d'Information No. 2022/VULN433 _____________________________________________________________________ DATE : 24/11/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running engine.io versions prior to 3.6.1, 6.2.1. ===================================================================== https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w _____________________________________________________________________ Uncaught exception in engine.io High darrachequesne published GHSA-r7qp-cfhv-p84w Package engine.io (npm) Affected versions < 3.6.1 > = 4.0.0, <= 6.2.1 Patched versions 3.6.1 6.2.1 Description Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. events.js:292 throw er; // Unhandled 'error' event ^ Error: read ECONNRESET at TCP.onStreamRead (internal/stream_base_commons.js:209:20) Emitted 'error' event on Socket instance at: at emitErrorNT (internal/streams/destroy.js:106:8) at emitErrorCloseNT (internal/streams/destroy.js:74:3) at processTicksAndRejections (internal/process/task_queues.js:80:21) { errno: -104, code: 'ECONNRESET', syscall: 'read' } This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. Patches A fix has been released today (2022/11/20): Version range Fixed version engine.io@3.x.y 3.6.1 engine.io@6.x.y 6.2.1 For socket.io users: _____________________________________________________________________ Version range engine.io version Needs minor update? socket.io@4.5.x ~6.2.0 npm audit fix should be sufficient socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.5.x socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.5.x socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.5.x socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.5.x socket.io@4.0.x ~5.0.0 Please upgrade to socket.io@4.5.x socket.io@3.1.x ~4.1.0 Please upgrade to socket.io@4.5.x (see here) socket.io@3.0.x ~4.0.0 Please upgrade to socket.io@4.5.x (see here) socket.io@2.5.0 ~3.6.0 npm audit fix should be sufficient socket.io@2.4.x and below ~3.5.0 Please upgrade to socket.io@2.5.0 Workarounds There is no known workaround except upgrading to a safe version. For more information If you have any questions or comments about this advisory: Open an issue in engine.io Thanks to Jonathan Neve for the responsible disclosure. Severity High CVE ID CVE-2022-41940 Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================