Home > Vulnerability Database > CVE-2023-31125

Mend.io Vulnerability Database

CVE-2023-31125

Good to know:

Date: May 8, 2023

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the "socket.io" parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the "engine.io" package, including those who use depending packages like "socket.io". This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

Language: TYPE_SCRIPT

Severity Score

6.5

Related Resources (8)

Url: https://github.com/socketio/engine.io/releases/tag/6.4.2

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-31125

Url: https://security.netapp.com/advisory/ntap-20230622-0002/

Url: https://github.com/socketio/engine.io

Url: https://security.netapp.com/advisory/ntap-20230622-0002

Url: https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5

Url: https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44

Url: https://www.mend.io/vulnerability-database/CVE-2023-31125

Severity Score

6.5

Weakness Type (CWE)

Uncaught Exception

CWE-248

Top Fix

Upgrade Version

Upgrade to version engine.io - 6.4.2

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-31125

Good to know:

Date: May 8, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?