CVE-2022-2421

Name of the Vulnerable Software and Affected Versions Socket.io versions prior to 4.5.2 Socket.io-client versions prior to 4.5.0 Socket.io-parser versions prior to 4.2.1 Socket.io-parser versions prior to 4.0.5 Socket.io-parser versions prior to 3.4.2 Socket.io-parser versions prior to 3.3.3

Description Due to improper type validation in attachment parsing in the Socket.io js library, it is possible to overwrite the placeholder object, allowing an attacker to place references to functions at arbitrary places in the resulting query object. This issue can be exploited by sending malicious packets, such as a number out of bounds, a value that is not a number, or a string that is part of the prototype of Array or Object. For example, an attacker can send a packet with a string like "push" or "hasOwnProperty" to overwrite the placeholder object. To mitigate this issue, it is essential to ensure that the payload received from the client is a Buffer object.

Recommendations For Socket.io versions prior to 4.5.2, update to version 4.5.2 or later. For Socket.io-client versions prior to 4.5.0, update to version 4.5.0 or later. For Socket.io-parser versions prior to 4.2.1, update to version 4.2.1 or later. For Socket.io-parser versions prior to 4.0.5, update to version 4.0.5 or later. For Socket.io-parser versions prior to 3.4.2, update to version 3.4.2 or later. For Socket.io-parser versions prior to 3.3.3, update to version 3.3.3 or later. As a temporary workaround, consider validating the payload received from the client to ensure it is a Buffer object, and disconnect the client if it is not.