CVE-2022-2421

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-2421

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2421.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-2421

Aliases

GHSA-qm95-pgcg-qqfq

Published

2022-10-26T10:15:16.780Z

Modified

2026-02-13T08:48:15.745252Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

References

Affected packages

Git / github.com/socketio/socket.io-parser

Affected ranges

Type: GIT
Repo: https://github.com/socketio/socket.io-parser
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cd11e38e1a3e2146617bc586f86512605607b212

Introduced

5ad3e5cc4b16326e3def2b834bd90c0424bfdd83

Fixed

5a2ccff9d1d8fdbadd3faad9290a9e3b165cf9a2

Introduced

652402a8568c2138da3c27c96756b32efca6c4bf

Fixed

4b3c191bc411578099c8dd35499d8c7a75860192

Introduced

c04d7f5c47ed712eb0f56cfc1a859f1aaa828f1e

Fixed

f3329eb5a46b215a3fdf91b6008c56cf177a4124

Affected versions

3.*

3.4.0

3.4.1

4.*

4.0.0

4.0.1

4.0.1-rc1

4.0.1-rc2

4.0.1-rc3

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2421.json"