CVE-2023-31125: Uncaught exception in engine.io
First published: Wed May 03 2023(Updated: )
### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. ``` TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') at Server.onWebSocket (build/server.js:515:67) ``` This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2) This bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | `socket.io@4.6.x` | `~6.4.0` | `npm audit fix` should be sufficient | | `socket.io@4.5.x` | `~6.2.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.4.x` | `~6.1.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.3.x` | `~6.0.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.2.x` | `~5.2.0` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.1.x` | `~5.1.1` | Please upgrade to `socket.io@4.6.x` | | `socket.io@4.0.x` | `~5.0.0` | Not impacted | | `socket.io@3.1.x` | `~4.1.0` | Not impacted | | `socket.io@3.0.x` | `~4.0.0` | Not impacted | | `socket.io@2.5.0` | `~3.6.0` | Not impacted | | `socket.io@2.4.x` and below | `~3.5.0` | Not impacted | ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: * Open an issue in [`engine.io`](https://github.com/socketio/engine.io) Thanks to Thomas Rinsma from Codean for the responsible disclosure.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Socket Engine.io | >=5.1.0<6.4.2 | |
| IBM Watson Knowledge Catalog on-prem | <=4.x | |
| npm/engine.io | >=5.1.0<6.4.2 | 6.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/socketio/engine.io/releases/tag/6.4.2
- https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44
- https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5
- https://security.netapp.com/advisory/ntap-20230622-0002/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/254734
- https://www.ibm.com/support/pages/node/7009747 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2023-31125
- https://github.com/advisories/GHSA-q9mw-68c2-j6m5 (Advisory)
Frequently Asked Questions
What is CVE-2023-31125?
CVE-2023-31125 is a vulnerability in Engine.IO, a transport-based communication layer for Socket.IO, that allows for a denial of service attack caused by an uncaught exception.
How does CVE-2023-31125 affect Socket.IO and Engine.IO?
CVE-2023-31125 affects Socket.IO version 4.1.0 and Engine.IO versions 5.1.0 to 6.4.2, allowing for a denial of service attack.
What versions of Socket.IO and Engine.IO are affected by CVE-2023-31125?
Socket.IO version 4.1.0 and Engine.IO versions 5.1.0 to 6.4.2 are affected by CVE-2023-31125.
What is the severity of CVE-2023-31125?
CVE-2023-31125 has a severity rating of 6.5, which is classified as medium.
How can I mitigate CVE-2023-31125?
To mitigate CVE-2023-31125, it is recommended to upgrade to the latest version of Socket.IO and Engine.IO, which addresses the vulnerability.
- collector/nvd-latest
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-q9mw-68c2-j6m5
- alias/CVE-2023-31125
- collector/nvd-cve
- collector/github-advisory
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/references
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/type
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/event
- vendor/socket
- canonical/socket engine.io
- version/socket engine.io/5.1.0
- package-manager/npm
- vendor/ibm
- canonical/ibm watson knowledge catalog on-prem
- version/ibm watson knowledge catalog on-prem/4.x