Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing CVE-2023-32695 on 3.3.x #125

Merged
merged 1 commit into from
Jul 22, 2024
Merged

Conversation

arnaufugarolas
Copy link

Description

Fixing CVE-2023-32695 on 3.3.X

Backported from 3.4.X

A packet like '2[{"toString":"foo"}]' was decoded as:

{
  type: EVENT,
  data: [ { "toString": "foo" } ]
}

Which would then throw an error when passed to the EventEmitter class:

> TypeError: Cannot convert object to primitive value
>    at Socket.emit (node:events:507:25)
>    at .../node_modules/socket.io/lib/socket.js:531:14

Backported from [socketio/socket.io-devalue-parser@2dc3c92](socketio@2dc3c92)
@arnaufugarolas arnaufugarolas changed the title Fixing CVE-2023-32695 Fixing CVE-2023-32695 on 3.3.x Oct 9, 2023
@arnaufugarolas
Copy link
Author

Could you merge the PR please?

Thanks!

@darrachequesne darrachequesne merged commit ee00660 into socketio:3.3.x Jul 22, 2024
@darrachequesne
Copy link
Member

Done! Released in version 3.3.4.

I've updated the advisory accordingly: github/advisory-database#4624

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants