GHSA-hhr9-rh25-hvf9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hhr9-rh25-hvf9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hhr9-rh25-hvf9/GHSA-hhr9-rh25-hvf9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hhr9-rh25-hvf9
- Aliases
- Published
- 2023-07-20T14:54:30Z
- Modified
- 2023-11-08T04:13:03.762779Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Feathers socket handler allows abusing implicit toString
- Details
-
Impact
Feathers socket handler did not catch invalid string conversion errors like:
const message = `${{ toString: '' }}`Causing the NodeJS process to crash when sending an unexpected Socket.io message like
socket.emit('find', { toString: '' })Patches
A fix has been released in
v5.0.8via #3241v4.5.18via #3242
Workarounds
Since it is in the core Socket handling code upgrading to the latest version is necessary.
References
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2023-07-19T20:15:10Z", "github_reviewed_at": "2023-07-20T14:54:30Z", "severity": "HIGH", "cwe_ids": [ "CWE-754" ] }- References
-
- https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
- https://nvd.nist.gov/vuln/detail/CVE-2023-37899
- https://github.com/feathersjs/feathers/pull/3241
- https://github.com/feathersjs/feathers/pull/3242
- https://github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8
- https://github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821c
- https://github.com/feathersjs/feathers
- https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19
- https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19
Affected packages
npm / @feathersjs/socketio
Package
- Name
- @feathersjs/socketio
- View open source insights on deps.dev
- Purl
- pkg:npm/%40feathersjs/socketio
npm / @feathersjs/socketio
Package
- Name
- @feathersjs/socketio
- View open source insights on deps.dev
- Purl
- pkg:npm/%40feathersjs/socketio
npm / @feathersjs/transport-commons
Package
- Name
- @feathersjs/transport-commons
- View open source insights on deps.dev
- Purl
- pkg:npm/%40feathersjs/transport-commons
npm / @feathersjs/transport-commons
Package
- Name
- @feathersjs/transport-commons
- View open source insights on deps.dev
- Purl
- pkg:npm/%40feathersjs/transport-commons