VDB
CVE-2022-41940
CVE-2022-41940
PUBLISHED
CVSS 7.099999904632568 HIGH
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
EPSS 2.17% · 84.6th percentile
Risk Scores
CVSS v3.1
7.099999904632568
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
EPSS Score
2.17%
84.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | engine.io | 0, 4.0.0 |
| socket | engine.io | 0, 4.0.0 |
| socketio | engine.io | >= 4.0.0, < 6.2.1, * |
Timeline
- Nov 21, 2022 CVE Published
- Nov 22, 2022 EPSS Score
- Feb 15, 2023 EPSS Score
- Mar 30, 2023 EPSS Score
- Jun 23, 2023 EPSS Score
- Sep 16, 2023 EPSS Score
- Oct 28, 2023 EPSS Score
- Nov 8, 2023 CVE Updated
- Jan 21, 2024 EPSS Score
- Apr 15, 2024 EPSS Score
- Jul 9, 2024 EPSS Score
- Oct 2, 2024 EPSS Score
References
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w url
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6 url
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-41940 advisory
- https://github.com/socketio/engine.io package