Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1. References: https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085 https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6 https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
Created pgadmin4 tracking bugs for this issue: Affects: fedora-37 [bug 2147341] Created python-socketio tracking bugs for this issue: Affects: fedora-35 [bug 2147340]
This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41940