CVE-2022-41940
First published: Tue Nov 22 2022(Updated: )
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Socket Engine.io | <3.6.1 | |
| Socket Engine.io | >=4.0.0<6.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2147341
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2147340
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/security/cve/cve-2022-41940
- https://bugzilla.redhat.com/show_bug.cgi?id=2144970
Frequently Asked Questions
What is CVE-2022-41940?
CVE-2022-41940 is a vulnerability in the Engine.IO communication layer for Socket.IO, where a specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, leading to the termination of the Node.js process.
What is the severity of CVE-2022-41940?
The severity of CVE-2022-41940 is high, with a CVSS score of 6.5.
Which versions of Engine.IO are affected by CVE-2022-41940?
Engine.IO versions up to, but excluding, 3.6.1 and versions up to, but excluding, 6.2.1 are affected by CVE-2022-41940.
How can I fix CVE-2022-41940?
To fix CVE-2022-41940, update your Engine.IO package to version 3.6.1 or higher if using versions prior to 6.2.1, or update to version 6.2.1 or higher if using versions 4.0.0 and higher.
Are there any additional references for CVE-2022-41940?
Yes, you can find additional references for CVE-2022-41940 at the following links: [GitHub Commit 1](https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085), [GitHub Commit 2](https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6), [GitHub Security Advisory](https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-41940
- agent/software-canonical-lookup
- vendor/socket
- canonical/socket engine.io
- version/socket engine.io/4.0.0
- package-manager/redhat