Uncaught Exception An exception is thrown from a function, but it is not caught. #11142
Closed
1 of 2 tasks
Labels
bug 🐛
Something isn't working
needs triage 📥
This issue needs triaged before being worked on
Status: Stale
This issue is stale because it has been open 30 days with no activity.
Comments
github-actions
bot
added
the
needs triage 📥
|
This issue is stale because it has been open 45 days with no activity. |
github-actions
bot
added
the
Status: Stale
|
This does not appear to be related to this repository; closing out. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the
socket.ioparent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of theengine.iopackage, including those who use depending packages likesocket.io. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.To reproduce
Description
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.iopackage, including those who uses depending packages likesocket.io.Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the
socket.ioparent package. Older versions are not impacted.For
socket.iousers:Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.ioThanks to Thomas Rinsma from Codean for the responsible disclosure.
References
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
Version range engine.io version Needs minor update?
socket.io@4.6.x ~6.4.0 npm audit fix should be sufficient
socket.io@4.5.x ~6.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.6.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.6.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.6.x
socket.io@4.0.x ~5.0.0 Not impacted
socket.io@3.1.x ~4.1.0 Not impacted
socket.io@3.0.x ~4.0.0 Not impacted
socket.io@2.5.0 ~3.6.0 Not impacted
socket.io@2.4.x and below ~3.5.0 Not impacted
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
Open an issue in engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
References
GHSA-q9mw-68c2-j6m5
socketio/engine.io@fc480b4
https://github.com/socketio/engine.io/releases/tag/6.4.2
https://nvd.nist.gov/vuln/detail/CVE-2023-31125
https://security.netapp.com/advisory/ntap-20230622-0002/
Description
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.iopackage, including those who uses depending packages likesocket.io.Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the
socket.ioparent package. Older versions are not impacted.For
socket.iousers:Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.ioThanks to Thomas Rinsma from Codean for the responsible disclosure.
References
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
Version range engine.io version Needs minor update?
socket.io@4.6.x ~6.4.0 npm audit fix should be sufficient
socket.io@4.5.x ~6.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.6.x
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.6.x
socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.6.x
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.6.x
socket.io@4.0.x ~5.0.0 Not impacted
socket.io@3.1.x ~4.1.0 Not impacted
socket.io@3.0.x ~4.0.0 Not impacted
socket.io@2.5.0 ~3.6.0 Not impacted
socket.io@2.4.x and below ~3.5.0 Not impacted
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
Open an issue in engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
References
GHSA-q9mw-68c2-j6m5
socketio/engine.io@fc480b4
https://github.com/socketio/engine.io/releases/tag/6.4.2
https://nvd.nist.gov/vuln/detail/CVE-2023-31125
https://security.netapp.com/advisory/ntap-20230622-0002/
Expected behavior
Patched versions
6.4.2
Screenshots
No response
Desktop (please complete the following information)
No response
Smartphone (please complete the following information)
No response
Additional context
Patch: socketio/engine.io@fc480b4
Would you like to work on this issue?
The text was updated successfully, but these errors were encountered: