First published: Sat May 27 2023(Updated: )
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Socket Socket.io-parser | >=3.4.0<3.4.3 | |
Socket Socket.io-parser | >=4.0.4<4.2.3 | |
IBM Watson Knowledge Catalog on-prem | <=4.x |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32695 refers to a vulnerability in the Socket.IO socket.io-parser library that allows for a denial of service attack by triggering an uncaught exception on the server.
CVE-2023-32695 has a severity rating of 7.5 (High).
Versions between 3.4.0 and 3.4.3 of Socket.io-parser and versions between 4.0.4 and 4.2.3 of Socket.io-parser are affected. Additionally, IBM Watson Knowledge Catalog on-prem 4.x is also affected.
To fix CVE-2023-32695, update Socket.io-parser to version 4.2.3, which contains a patch for this vulnerability.
You can find more information about CVE-2023-32695 on the official Socket.IO socket.io-parser GitHub repository and the associated commits.