Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-2421

Good to know:

icon
icon

Date: October 24, 2022

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Language: JS

Severity Score

Related Resources (11)

https://csirt.divd.nl/cves/CVE-2022-2421
https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4
https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983
https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050
https://github.com/socketio/socket.io-parser
https://csirt.divd.nl/cases/DIVD-2022-00045
https://nvd.nist.gov/vuln/detail/CVE-2022-2421
https://csirt.divd.nl/CVE-2022-2421
https://csirt.divd.nl/DIVD-2022-00045
https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14
https://www.mend.io/vulnerability-database/CVE-2022-2421

Severity Score

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Insufficient Information

NVD-CWE-noinfo

Improper Validation of Specified Type of Input

CWE-1287

Top Fix

icon

Upgrade Version

Upgrade to version socket.io-parser - 3.4.2;socket.io-parser - 3.3.3;socket.io-parser - 4.2.1;socket.io-parser - 4.0.5

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us