CVE-2022-2421: Socket.io - Improper type validation in attachment parsing
First published: Tue Oct 25 2022(Updated: )
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Credit: csirt@divd.nl csirt@divd.nl csirt@divd.nl
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/socket.io-parser | >=3.4.0<3.4.2 | 3.4.2 |
| npm/socket.io-parser | <3.3.3 | 3.3.3 |
| npm/socket.io-parser | >=4.0.0<4.0.5 | 4.0.5 |
| npm/socket.io-parser | >=4.1.0<4.2.1 | 4.2.1 |
| Socket Socket.io-parser Node.js | <4.0.5 | |
| Socket Socket.io-parser Node.js | >=4.1.0<4.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://csirt.divd.nl/CVE-2022-2421
- https://csirt.divd.nl/DIVD-2022-00045
- https://nvd.nist.gov/vuln/detail/CVE-2022-2421
- https://csirt.divd.nl/cases/DIVD-2022-00045
- https://csirt.divd.nl/cves/CVE-2022-2421
- https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4
- https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050
- https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14
- https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983
- https://github.com/advisories/GHSA-qm95-pgcg-qqfq (Advisory)
Frequently Asked Questions
What is CVE-2022-2421?
CVE-2022-2421 is a vulnerability in the Socket.io js library that allows an attacker to overwrite the _placeholder object, potentially placing references to functions in the resulting query object.
What is the severity of CVE-2022-2421?
The severity of CVE-2022-2421 is critical with a severity value of 9.8.
Which software is affected by CVE-2022-2421?
The Socket.io-parser library versions 4.0.5 and 4.1.0 to 4.2.1 running on Node.js are affected by CVE-2022-2421.
How can an attacker exploit CVE-2022-2421?
An attacker can exploit CVE-2022-2421 by leveraging the improper type validation in attachment parsing to overwrite the _placeholder object and place references to functions in the resulting query object.
Is there a fix available for CVE-2022-2421?
Yes, it is recommended to update to a version of the Socket.io-parser library that is not affected by CVE-2022-2421.
- agent/references
- agent/type
- agent/first-publish-date
- agent/title
- agent/severity
- agent/author
- agent/weakness
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qm95-pgcg-qqfq
- alias/CVE-2022-2421
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/description
- collector/github-advisory
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- package-manager/npm
- vendor/socket
- canonical/socket socket.io-parser node.js
- version/socket socket.io-parser node.js/4.1.0