Vulnerability DatabaseCVE-2022-41940
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-41940
November 22, 2022
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Affected Packages
engine.io (NPM):
Affected version(s) >=0.1.0 <3.6.1
Fix Suggestion:
Update to version 3.6.1
engine.io (NPM):
Affected version(s) >=4.0.0 <6.2.1
Fix Suggestion:
Update to version 6.2.1
Related ResourcesĀ (6)
https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
https://github.com/socketio/engine.io
https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41940.json
https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
https://nvd.nist.gov/vuln/detail/CVE-2022-41940
https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
Uncaught Exception
CWE-248
EPSS
Base Score:
2.1