Skip to content

Socket handler allows abusing implicit toString

High
daffl published GHSA-hhr9-rh25-hvf9 Jul 19, 2023

Package

npm @feathersjs/socketio (npm)

Affected versions

<= 4.5.17
<= 5.0.7

Patched versions

4.5.18
5.0.8
npm @feathersjs/transport-commons (npm)
<= 4.5.17
<= 5.0.7
4.5.18
5.0.8

Description

Impact

Feathers socket handler did not catch invalid string conversion errors like:

const message = `${{ toString: '' }}`

Causing the NodeJS process to crash when sending an unexpected Socket.io message like

socket.emit('find', { toString: '' })

Patches

A fix has been released in

Workarounds

Since it is in the core Socket handling code upgrading to the latest version is necessary.

References

Severity

High

CVE ID

CVE-2023-37899

Weaknesses

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.

Credits