Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.
Patches
A fix has been released for each major branch:
| Version range |
Fixed version |
engine.io@4.x.x |
4.1.2 |
engine.io@5.x.x |
5.2.1 |
engine.io@6.x.x |
6.1.1 |
Previous versions (< 4.0.0) are not impacted.
For socket.io users:
| Version range |
engine.io version |
Needs minor update? |
socket.io@4.4.x |
~6.1.0 |
- |
socket.io@4.3.x |
~6.0.0 |
Please upgrade to socket.io@4.4.x |
socket.io@4.2.x |
~5.2.0 |
- |
socket.io@4.1.x |
~5.1.1 |
Please upgrade to socket.io@4.4.x |
socket.io@4.0.x |
~5.0.0 |
Please upgrade to socket.io@4.4.x |
socket.io@3.1.x |
~4.1.0 |
- |
socket.io@3.0.x |
~4.0.0 |
Please upgrade to socket.io@3.1.x or socket.io@4.4.x (see here) |
In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
References
marwej Analyst
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
This impacts all the users of the
engine.iopackage starting from version4.0.0, including those who uses depending packages likesocket.io.Patches
A fix has been released for each major branch:
engine.io@4.x.x4.1.2engine.io@5.x.x5.2.1engine.io@6.x.x6.1.1Previous versions (
< 4.0.0) are not impacted.For
socket.iousers:engine.ioversionsocket.io@4.4.x~6.1.0socket.io@4.3.x~6.0.0socket.io@4.4.xsocket.io@4.2.x~5.2.0socket.io@4.1.x~5.1.1socket.io@4.4.xsocket.io@4.0.x~5.0.0socket.io@4.4.xsocket.io@3.1.x~4.1.0socket.io@3.0.x~4.0.0socket.io@3.1.xorsocket.io@4.4.x(see here)In most cases, running
npm audit fixshould be sufficient. You can also usenpm update engine.io --depth=9999.Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
engine.ioThanks to Marcus Wejderot from Mevisio for the responsible disclosure.
References