CVE-2023-37899
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-37899
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37899.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-37899
- Aliases
- Related
- Published
- 2023-07-19T20:15:10Z
- Modified
- 2025-02-19T03:33:01.631156Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like
const message = ${{ toString: '' }}which would cause the NodeJS process to crash when sending an unexpected Socket.io message likesocket.emit('find', { toString: '' }). A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability. - References
-
- https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
- https://github.com/feathersjs/feathers/pull/3241
- https://github.com/feathersjs/feathers/pull/3242
- https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
- https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19
Affected packages
Git / github.com/feathersjs/feathers
Affected ranges
- Type
- GIT
- Repo
- https://github.com/feathersjs/feathers
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.0.2
0.0.3
0.0.4
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.4.0
1.*
1.0.0
1.0.0-pre.1
1.0.0-pre.5
1.0.1
1.0.2
1.1.0-pre.0
@feathersjs/adapter-commons@1.*
@feathersjs/adapter-commons@1.0.0
@feathersjs/adapter-commons@1.0.1
@feathersjs/adapter-commons@1.0.2
@feathersjs/adapter-commons@1.0.3
@feathersjs/adapter-commons@1.0.4
@feathersjs/adapter-commons@1.0.5
@feathersjs/adapter-commons@1.0.6
@feathersjs/adapter-commons@1.0.7
@feathersjs/adapter-commons@2.*
@feathersjs/adapter-commons@2.0.0
@feathersjs/adapter-tests@1.*
@feathersjs/adapter-tests@1.0.0
@feathersjs/adapter-tests@1.0.1
@feathersjs/authentication-client@1.*
@feathersjs/authentication-client@1.0.10
@feathersjs/authentication-client@1.0.11
@feathersjs/authentication-client@1.0.3
@feathersjs/authentication-client@1.0.4
@feathersjs/authentication-client@1.0.5
@feathersjs/authentication-client@1.0.6
@feathersjs/authentication-client@1.0.7
@feathersjs/authentication-client@1.0.8
@feathersjs/authentication-client@1.0.9
@feathersjs/authentication-jwt@2.*
@feathersjs/authentication-jwt@2.0.10
@feathersjs/authentication-jwt@2.0.2
@feathersjs/authentication-jwt@2.0.3
@feathersjs/authentication-jwt@2.0.4
@feathersjs/authentication-jwt@2.0.5
@feathersjs/authentication-jwt@2.0.6
@feathersjs/authentication-jwt@2.0.7
@feathersjs/authentication-jwt@2.0.8
@feathersjs/authentication-jwt@2.0.9
@feathersjs/authentication-local@1.*
@feathersjs/authentication-local@1.2.2
@feathersjs/authentication-local@1.2.3
@feathersjs/authentication-local@1.2.4
@feathersjs/authentication-local@1.2.5
@feathersjs/authentication-local@1.2.6
@feathersjs/authentication-local@1.2.7
@feathersjs/authentication-local@1.2.8
@feathersjs/authentication-local@1.2.9
@feathersjs/authentication-oauth1@1.*
@feathersjs/authentication-oauth1@1.0.10
@feathersjs/authentication-oauth1@1.0.4
@feathersjs/authentication-oauth1@1.0.5
@feathersjs/authentication-oauth1@1.0.6
@feathersjs/authentication-oauth1@1.0.7
@feathersjs/authentication-oauth1@1.0.8
@feathersjs/authentication-oauth1@1.0.9
@feathersjs/authentication-oauth1@1.1.0
@feathersjs/authentication-oauth1@1.1.1
@feathersjs/authentication-oauth2@1.*
@feathersjs/authentication-oauth2@1.2.1
@feathersjs/authentication-oauth2@1.2.2
@feathersjs/authentication-oauth2@1.2.3
@feathersjs/authentication-oauth2@1.2.4
@feathersjs/authentication-oauth2@1.2.5
@feathersjs/authentication-oauth2@1.2.6
@feathersjs/authentication-oauth2@1.2.7
@feathersjs/authentication-oauth2@1.3.0
@feathersjs/authentication-oauth2@1.3.1
@feathersjs/authentication@2.*
@feathersjs/authentication@2.1.10
@feathersjs/authentication@2.1.11
@feathersjs/authentication@2.1.12
@feathersjs/authentication@2.1.13
@feathersjs/authentication@2.1.14
@feathersjs/authentication@2.1.15
@feathersjs/authentication@2.1.16
@feathersjs/authentication@2.1.8
@feathersjs/authentication@2.1.9
@feathersjs/cli@3.*
@feathersjs/cli@3.8.1
@feathersjs/cli@3.8.2
@feathersjs/cli@3.8.3
@feathersjs/cli@3.8.4
@feathersjs/cli@3.8.5
@feathersjs/cli@3.8.6
@feathersjs/cli@3.8.7
@feathersjs/client@3.*
@feathersjs/client@3.7.2
@feathersjs/client@3.7.3
@feathersjs/client@3.7.4
@feathersjs/client@3.7.5
@feathersjs/client@3.7.6
@feathersjs/client@3.7.7
@feathersjs/client@3.7.8
@feathersjs/commons@3.*
@feathersjs/commons@3.0.0
@feathersjs/commons@3.0.1
@feathersjs/commons@4.*
@feathersjs/commons@4.0.0
@feathersjs/configuration@2.*
@feathersjs/configuration@2.0.1
@feathersjs/configuration@2.0.2
@feathersjs/configuration@2.0.3
@feathersjs/configuration@2.0.4
@feathersjs/configuration@2.0.5
@feathersjs/configuration@2.0.6
@feathersjs/errors@3.*
@feathersjs/errors@3.3.1
@feathersjs/errors@3.3.2
@feathersjs/errors@3.3.3
@feathersjs/errors@3.3.4
@feathersjs/errors@3.3.5
@feathersjs/errors@3.3.6
@feathersjs/express@1.*
@feathersjs/express@1.2.4
@feathersjs/express@1.2.5
@feathersjs/express@1.2.6
@feathersjs/express@1.2.7
@feathersjs/express@1.3.0
@feathersjs/express@1.3.1
@feathersjs/feathers@3.*
@feathersjs/feathers@3.2.0
@feathersjs/feathers@3.2.1
@feathersjs/feathers@3.2.2
@feathersjs/feathers@3.2.3
@feathersjs/feathers@3.3.0
@feathersjs/feathers@3.3.1
@feathersjs/primus-client@1.*
@feathersjs/primus-client@1.1.1
@feathersjs/primus-client@1.1.2
@feathersjs/primus-client@1.1.3
@feathersjs/primus-client@1.1.4
@feathersjs/primus-client@1.1.5
@feathersjs/primus-client@1.1.6
@feathersjs/primus-client@1.1.7
@feathersjs/primus@3.*
@feathersjs/primus@3.2.2
@feathersjs/primus@3.2.3
@feathersjs/primus@3.2.4
@feathersjs/primus@3.2.5
@feathersjs/primus@3.2.6
@feathersjs/primus@3.2.7
@feathersjs/primus@3.2.8
@feathersjs/rest-client@1.*
@feathersjs/rest-client@1.4.2
@feathersjs/rest-client@1.4.3
@feathersjs/rest-client@1.4.4
@feathersjs/rest-client@1.4.5
@feathersjs/rest-client@1.4.6
@feathersjs/rest-client@1.4.7
@feathersjs/socketio-client@1.*
@feathersjs/socketio-client@1.1.1
@feathersjs/socketio-client@1.1.2
@feathersjs/socketio-client@1.1.3
@feathersjs/socketio-client@1.1.4
@feathersjs/socketio-client@1.1.5
@feathersjs/socketio-client@1.2.0
@feathersjs/socketio-client@1.2.1
@feathersjs/socketio@3.*
@feathersjs/socketio@3.2.3
@feathersjs/socketio@3.2.4
@feathersjs/socketio@3.2.5
@feathersjs/socketio@3.2.6
@feathersjs/socketio@3.2.7
@feathersjs/socketio@3.2.8
@feathersjs/socketio@3.2.9
@feathersjs/transport-commons@4.*
@feathersjs/transport-commons@4.1.2
@feathersjs/transport-commons@4.1.3
@feathersjs/transport-commons@4.1.4
@feathersjs/transport-commons@4.1.5
@feathersjs/transport-commons@4.1.6
@feathersjs/transport-commons@4.2.0
@feathersjs/transport-commons@4.2.1
generator-feathers-plugin@1.*
generator-feathers-plugin@1.0.1
generator-feathers@2.*
generator-feathers@2.6.1
generator-feathers@2.6.2
generator-feathers@2.6.3
generator-feathers@2.6.4
generator-feathers@2.7.0
generator-feathers@2.7.1
generator-feathers@2.8.0
v1.*
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v2.*
v2.0.0
v2.0.0-pre.1
v2.0.0-pre.2
v2.0.0-pre.3
v2.0.0-pre.4
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.6
v2.1.7
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.2.0-pre.1
v4.*
v4.0.0-pre.0
v4.0.0-pre.1
v4.0.0-pre.2
v4.0.0-pre.3
v4.0.0-pre.4
v4.0.0-pre.5
v4.3.0
v4.3.0-pre.1
v4.3.0-pre.2
v4.3.0-pre.3
v4.3.0-pre.4
v4.3.1
v4.3.10
v4.3.11
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.1
v4.4.3
v4.5.0
v4.5.1
v4.5.10
v4.5.11
v4.5.12
v4.5.13
v4.5.14
v4.5.15
v4.5.16
v4.5.17
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v4.5.8
v4.5.9