CVE-2022-41940

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-41940
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41940.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-41940
Aliases
Downstream
Published
2022-11-22T00:00:00Z
Modified
2026-04-10T04:51:36.638861Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H CVSS Calculator
Summary
Uncaught exception in engine.io
Details

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-248"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41940.json"
}
References

Affected packages

Git / github.com/socketio/engine.io

Affected ranges

Type
GIT
Repo
https://github.com/socketio/engine.io
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
67a3a8785900f77d8ad40c3c1eea8ee188c42d95
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/socketio/engine.io
Events
Introduced
70b1c36be112671b690736de1a24753e8ec5ba22
Fixed
24b847be6a61b64efc8c8c4d058a69259ad67693
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "6.2.1"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.10
0.3.2
0.3.3
0.3.4
0.3.5
0.3.7
0.3.8
0.3.9
0.4.1
0.4.2
0.4.3
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.10
0.7.11
0.7.12
0.7.13
0.7.14
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.2
0.9.0
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
2.*
2.0.0
2.0.1
2.0.2
2.1.0
3.*
3.0.0
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.5.0
3.6.0
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
5.*
5.0.0
5.1.0
5.1.1
5.2.0
6.*
6.0.0
6.1.0
6.1.1
6.1.2
6.1.3
6.2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41940.json"