2144970 – (CVE-2022-41940) CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception

Bug 2144970 (CVE-2022-41940) - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception

Summary: CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncau...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-41940
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2144979 2147340 2147341
Blocks:	2144971
TreeView+	depends on / blocked

Reported:	2022-11-22 19:51 UTC by Pedro Sampaio
Modified:	2023-06-30 00:16 UTC (History)
CC List:	13 users (show)
Fixed In Version:	engine.io 3.6.1, engine.io 6.2.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2023-06-30 00:16:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3954	0	None	None	None	2023-06-29 20:07:44 UTC

Description Pedro Sampaio 2022-11-22 19:51:34 UTC

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

References:

https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w

Comment 2 Anten Skrabec 2022-11-23 18:21:39 UTC

Created pgadmin4 tracking bugs for this issue:

Affects: fedora-37 [bug 2147341]


Created python-socketio tracking bugs for this issue:

Affects: fedora-35 [bug 2147340]

Comment 5 errata-xmlrpc 2023-06-29 20:07:43 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954

Comment 6 Product Security DevOps Team 2023-06-30 00:16:41 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41940

Note You need to log in before you can comment on or make changes to this bug.