fix(cmd-api-server): upgrade socket.io - CVE-2022-21676 #1914

petermetz · 2022-03-14T06:00:19Z

Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses
CWE-754
CVE ID
CVE-2022-21676
GHSA ID
GHSA-273r-mgr4-v34f

Package
Affected versions
Patched version
engine.io
(npm)

= 5.0.0, < 5.2.1
5.2.1
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)

This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.

Patches
A fix has been released for each major branch:

Version range Fixed version
engine.io@4.x.x 4.1.2
engine.io@5.x.x 5.2.1
engine.io@6.x.x 6.1.1
Previous versions (< 4.0.0) are not impacted.

For socket.io users:

Version range engine.io version Needs minor update?
socket.io@4.4.x ~6.1.0 -
socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.4.x
socket.io@4.2.x ~5.2.0 -
socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.4.x
socket.io@4.0.x ~5.0.0 Please upgrade to socket.io@4.4.x
socket.io@3.1.x ~4.1.0 -
socket.io@3.0.x ~4.0.0 Please upgrade to socket.io@3.1.x or socket.io@4.4.x (see here)
In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.

Workarounds
There is no known workaround except upgrading to a safe version.

For more information
If you have any questions or comments about this advisory:

Open an issue in engine.io
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Upgrade the version of socket.io to 4.4.1 which contains the patches for the CVE mentioned in the title. Fixes hyperledger-cacti#1914 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>

Upgrade the version of socket.io to 4.4.1 which contains the patches for the CVE mentioned in the title. Fixes #1914 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>

petermetz added API_Server dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities labels Mar 14, 2022

petermetz self-assigned this Mar 14, 2022

petermetz mentioned this issue Mar 14, 2022

fix(cmd-api-server): upgrade socket.io - CVE-2022-21676 #1915

Merged

petermetz closed this as completed in #1915 Mar 15, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(cmd-api-server): upgrade socket.io - CVE-2022-21676 #1914

fix(cmd-api-server): upgrade socket.io - CVE-2022-21676 #1914

petermetz commented Mar 14, 2022

fix(cmd-api-server): upgrade socket.io - CVE-2022-21676 #1914

fix(cmd-api-server): upgrade socket.io - CVE-2022-21676 #1914

Comments

petermetz commented Mar 14, 2022