Vulnerability Description
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Socket | Engine.Io | < 3.6.1 |
Related Weaknesses (CWE)
References
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db1PatchThird Party Advisory
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9PatchThird Party Advisory
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84wExploitThird Party Advisory
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db1PatchThird Party Advisory
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9PatchThird Party Advisory
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84wExploitThird Party Advisory
FAQ
What is CVE-2022-41940?
CVE-2022-41940 is a vulnerability with a CVSS score of 7.1 (HIGH). Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on th...
How severe is CVE-2022-41940?
CVE-2022-41940 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41940?
Check the references section above for vendor advisories and patch information. Affected products include: Socket Engine.Io.