GHSA-q9mw-68c2-j6m5

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
    at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the <code>engine.io</code> package, including those who uses depending packages like <code>socket.io</code>.

Patches

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.6.x | ~6.4.0 | npm audit fix should be sufficient | | socket.io@4.5.x | ~6.2.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.6.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.6.x | | socket.io@4.0.x | ~5.0.0 | Not impacted | | socket.io@3.1.x | ~4.1.0 | Not impacted | | socket.io@3.0.x | ~4.0.0 | Not impacted | | socket.io@2.5.0 | ~3.6.0 | Not impacted | | socket.io@2.4.x and below | ~3.5.0 | Not impacted |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

• Open an issue in <code>engine.io</code>

Thanks to Thomas Rinsma from Codean for the responsible disclosure.