CVE-2023-37899

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-37899
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37899.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-37899
Aliases
Published
2023-07-19T19:45:31.386Z
Modified
2025-12-04T23:58:31.039751Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
feathersjs socket handler allows abusing implicit toString
Details

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = ${{ toString: '' }} which would cause the NodeJS process to crash when sending an unexpected Socket.io message like socket.emit('find', { toString: '' }). A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37899.json",
    "cwe_ids": [
        "CWE-754"
    ]
}
References

Affected packages

Git / github.com/feathersjs/feathers

Affected ranges

Type
GIT
Repo
https://github.com/feathersjs/feathers
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2d3671d2e3ff88034181bccf2bfda04de856aa4f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.5.18"
        }
    ]
}
Type
GIT
Repo
https://github.com/feathersjs/feathers
Events
Introduced
90caf635aec850550b9d37bea2762af959d9e8d5
Fixed
414336a047a556f1986b4bb253416d5b8a973d9f
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.8"
        }
    ]
}

Affected versions

0.*

0.0.2
0.0.3
0.0.4
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.4.0

1.*

1.0.0
1.0.0-pre.1
1.0.0-pre.5
1.0.1
1.0.2
1.1.0-pre.0

@feathersjs/adapter-commons@1.*

@feathersjs/adapter-commons@1.0.0
@feathersjs/adapter-commons@1.0.1
@feathersjs/adapter-commons@1.0.2
@feathersjs/adapter-commons@1.0.3
@feathersjs/adapter-commons@1.0.4
@feathersjs/adapter-commons@1.0.5
@feathersjs/adapter-commons@1.0.6
@feathersjs/adapter-commons@1.0.7

@feathersjs/adapter-commons@2.*

@feathersjs/adapter-commons@2.0.0

@feathersjs/adapter-tests@1.*

@feathersjs/adapter-tests@1.0.0
@feathersjs/adapter-tests@1.0.1

@feathersjs/authentication-client@1.*

@feathersjs/authentication-client@1.0.10
@feathersjs/authentication-client@1.0.11
@feathersjs/authentication-client@1.0.3
@feathersjs/authentication-client@1.0.4
@feathersjs/authentication-client@1.0.5
@feathersjs/authentication-client@1.0.6
@feathersjs/authentication-client@1.0.7
@feathersjs/authentication-client@1.0.8
@feathersjs/authentication-client@1.0.9

@feathersjs/authentication-jwt@2.*

@feathersjs/authentication-jwt@2.0.10
@feathersjs/authentication-jwt@2.0.2
@feathersjs/authentication-jwt@2.0.3
@feathersjs/authentication-jwt@2.0.4
@feathersjs/authentication-jwt@2.0.5
@feathersjs/authentication-jwt@2.0.6
@feathersjs/authentication-jwt@2.0.7
@feathersjs/authentication-jwt@2.0.8
@feathersjs/authentication-jwt@2.0.9

@feathersjs/authentication-local@1.*

@feathersjs/authentication-local@1.2.2
@feathersjs/authentication-local@1.2.3
@feathersjs/authentication-local@1.2.4
@feathersjs/authentication-local@1.2.5
@feathersjs/authentication-local@1.2.6
@feathersjs/authentication-local@1.2.7
@feathersjs/authentication-local@1.2.8
@feathersjs/authentication-local@1.2.9

@feathersjs/authentication-oauth1@1.*

@feathersjs/authentication-oauth1@1.0.10
@feathersjs/authentication-oauth1@1.0.4
@feathersjs/authentication-oauth1@1.0.5
@feathersjs/authentication-oauth1@1.0.6
@feathersjs/authentication-oauth1@1.0.7
@feathersjs/authentication-oauth1@1.0.8
@feathersjs/authentication-oauth1@1.0.9
@feathersjs/authentication-oauth1@1.1.0
@feathersjs/authentication-oauth1@1.1.1

@feathersjs/authentication-oauth2@1.*

@feathersjs/authentication-oauth2@1.2.1
@feathersjs/authentication-oauth2@1.2.2
@feathersjs/authentication-oauth2@1.2.3
@feathersjs/authentication-oauth2@1.2.4
@feathersjs/authentication-oauth2@1.2.5
@feathersjs/authentication-oauth2@1.2.6
@feathersjs/authentication-oauth2@1.2.7
@feathersjs/authentication-oauth2@1.3.0
@feathersjs/authentication-oauth2@1.3.1

@feathersjs/authentication@2.*

@feathersjs/authentication@2.1.10
@feathersjs/authentication@2.1.11
@feathersjs/authentication@2.1.12
@feathersjs/authentication@2.1.13
@feathersjs/authentication@2.1.14
@feathersjs/authentication@2.1.15
@feathersjs/authentication@2.1.16
@feathersjs/authentication@2.1.8
@feathersjs/authentication@2.1.9

@feathersjs/cli@3.*

@feathersjs/cli@3.8.1
@feathersjs/cli@3.8.2
@feathersjs/cli@3.8.3
@feathersjs/cli@3.8.4
@feathersjs/cli@3.8.5
@feathersjs/cli@3.8.6
@feathersjs/cli@3.8.7

@feathersjs/client@3.*

@feathersjs/client@3.7.2
@feathersjs/client@3.7.3
@feathersjs/client@3.7.4
@feathersjs/client@3.7.5
@feathersjs/client@3.7.6
@feathersjs/client@3.7.7
@feathersjs/client@3.7.8

@feathersjs/commons@3.*

@feathersjs/commons@3.0.0
@feathersjs/commons@3.0.1

@feathersjs/commons@4.*

@feathersjs/commons@4.0.0

@feathersjs/configuration@2.*

@feathersjs/configuration@2.0.1
@feathersjs/configuration@2.0.2
@feathersjs/configuration@2.0.3
@feathersjs/configuration@2.0.4
@feathersjs/configuration@2.0.5
@feathersjs/configuration@2.0.6

@feathersjs/errors@3.*

@feathersjs/errors@3.3.1
@feathersjs/errors@3.3.2
@feathersjs/errors@3.3.3
@feathersjs/errors@3.3.4
@feathersjs/errors@3.3.5
@feathersjs/errors@3.3.6

@feathersjs/express@1.*

@feathersjs/express@1.2.4
@feathersjs/express@1.2.5
@feathersjs/express@1.2.6
@feathersjs/express@1.2.7
@feathersjs/express@1.3.0
@feathersjs/express@1.3.1

@feathersjs/feathers@3.*

@feathersjs/feathers@3.2.0
@feathersjs/feathers@3.2.1
@feathersjs/feathers@3.2.2
@feathersjs/feathers@3.2.3
@feathersjs/feathers@3.3.0
@feathersjs/feathers@3.3.1

@feathersjs/primus-client@1.*

@feathersjs/primus-client@1.1.1
@feathersjs/primus-client@1.1.2
@feathersjs/primus-client@1.1.3
@feathersjs/primus-client@1.1.4
@feathersjs/primus-client@1.1.5
@feathersjs/primus-client@1.1.6
@feathersjs/primus-client@1.1.7

@feathersjs/primus@3.*

@feathersjs/primus@3.2.2
@feathersjs/primus@3.2.3
@feathersjs/primus@3.2.4
@feathersjs/primus@3.2.5
@feathersjs/primus@3.2.6
@feathersjs/primus@3.2.7
@feathersjs/primus@3.2.8

@feathersjs/rest-client@1.*

@feathersjs/rest-client@1.4.2
@feathersjs/rest-client@1.4.3
@feathersjs/rest-client@1.4.4
@feathersjs/rest-client@1.4.5
@feathersjs/rest-client@1.4.6
@feathersjs/rest-client@1.4.7

@feathersjs/socketio-client@1.*

@feathersjs/socketio-client@1.1.1
@feathersjs/socketio-client@1.1.2
@feathersjs/socketio-client@1.1.3
@feathersjs/socketio-client@1.1.4
@feathersjs/socketio-client@1.1.5
@feathersjs/socketio-client@1.2.0
@feathersjs/socketio-client@1.2.1

@feathersjs/socketio@3.*

@feathersjs/socketio@3.2.3
@feathersjs/socketio@3.2.4
@feathersjs/socketio@3.2.5
@feathersjs/socketio@3.2.6
@feathersjs/socketio@3.2.7
@feathersjs/socketio@3.2.8
@feathersjs/socketio@3.2.9

@feathersjs/transport-commons@4.*

@feathersjs/transport-commons@4.1.2
@feathersjs/transport-commons@4.1.3
@feathersjs/transport-commons@4.1.4
@feathersjs/transport-commons@4.1.5
@feathersjs/transport-commons@4.1.6
@feathersjs/transport-commons@4.2.0
@feathersjs/transport-commons@4.2.1

generator-feathers-plugin@1.*

generator-feathers-plugin@1.0.1

generator-feathers@2.*

generator-feathers@2.6.1
generator-feathers@2.6.2
generator-feathers@2.6.3
generator-feathers@2.6.4
generator-feathers@2.7.0
generator-feathers@2.7.1
generator-feathers@2.8.0

v1.*

v1.1.0
v1.1.1
v1.2.0
v1.2.1

v2.*

v2.0.0
v2.0.0-pre.1
v2.0.0-pre.2
v2.0.0-pre.3
v2.0.0-pre.4
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.6
v2.1.7
v2.2.0
v2.2.1
v2.2.2
v2.2.3

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.2.0-pre.1

v4.*

v4.0.0-pre.0
v4.0.0-pre.1
v4.0.0-pre.2
v4.0.0-pre.3
v4.0.0-pre.4
v4.0.0-pre.5
v4.3.0
v4.3.0-pre.1
v4.3.0-pre.2
v4.3.0-pre.3
v4.3.0-pre.4
v4.3.1
v4.3.10
v4.3.11
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.1
v4.4.3
v4.5.0
v4.5.1
v4.5.10
v4.5.11
v4.5.12
v4.5.13
v4.5.14
v4.5.15
v4.5.16
v4.5.17
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v4.5.8
v4.5.9

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7