A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
A fix has been released today (2023/05/22):
socket.io-parser@4.2.3
socket.io-parser@3.4.3
| socket.io
version | socket.io-parser
version | Needs minor update? |
|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|
| 4.5.2...latest
| ~4.2.0
(ref) | npm audit fix
should be sufficient |
| 4.1.3...4.5.1
| ~4.1.1
(ref) | Please upgrade to socket.io@4.6.x
|
| 3.0.5...4.1.2
| ~4.0.3
(ref) | Please upgrade to socket.io@4.6.x
|
| 3.0.0...3.0.4
| ~4.0.1
(ref) | Please upgrade to socket.io@4.6.x
|
| 2.3.0...2.5.0
| ~3.4.0
(ref) | npm audit fix
should be sufficient |
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
Thanks to @rafax00 for the responsible disclosure.