Skip to content

Uncaught exception in engine.io

High
darrachequesne published GHSA-r7qp-cfhv-p84w Nov 20, 2022

Package

npm engine.io (npm)

Affected versions

< 3.6.1
>= 4.0.0, <= 6.2.1

Patched versions

3.6.1
6.2.1

Description

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range Fixed version
[email protected] 3.6.1
[email protected] 6.2.1

For socket.io users:

Version range engine.io version Needs minor update?
[email protected] ~6.2.0 npm audit fix should be sufficient
[email protected] ~6.1.0 Please upgrade to [email protected]
[email protected] ~6.0.0 Please upgrade to [email protected]
[email protected] ~5.2.0 Please upgrade to [email protected]
[email protected] ~5.1.1 Please upgrade to [email protected]
[email protected] ~5.0.0 Please upgrade to [email protected]
[email protected] ~4.1.0 Please upgrade to [email protected] (see here)
[email protected] ~4.0.0 Please upgrade to [email protected] (see here)
[email protected] ~3.6.0 npm audit fix should be sufficient
[email protected] and below ~3.5.0 Please upgrade to [email protected]

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Thanks to Jonathan Neve for the responsible disclosure.

Severity

High

CVE ID

CVE-2022-41940

Weaknesses

No CWEs