7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39386

CVE-2022-39386: fastify/websocket vulnerable to uncaught exception via crash on malformed packet

Impact

Any application using @fastify/websocket could crash if a specific, malformed packet is sent.

All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched.

Patches

This has been patched in v7.1.1 (fastify v4) and v5.0.1 (fastify v3).

Workarounds

No known workaround is available. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

Credits

marcolanaro for finding and patching this vulnerability

For more information

If you have any questions or comments about this advisory:

Open an issue in @fastify/websocket
Email us at hello@matteocollina.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39386

CVE-2022-39386:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@fastify/websocket	npm	>= 6.0.0, < 7.1.1	7.1.1
fastify-websocket	npm	<= 4.3.0
@fastify/websocket	npm	>= 5.0.0, < 5.0.1	5.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unhandled 'error' events on the WebSocket connection stream. The patch added an error handler (connection.on('error', ...)) to log errors, preventing uncaught exceptions. The pre-patch code in index.js created the connection without this critical error handling, making the WebSocket connection setup logic the vulnerable component. The test case demonstrates triggering a WS_ERR_UNEXPECTED_RSV_2_3 error via malformed packets, which would crash the process without the handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39386: fastify/websocket vulnerable to uncaught exception via crash on malformed packet

Impact

Patches

Workarounds

Credits

For more information

CVE-2022-39386:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-39386: fastify/websocket vulnerable to uncaught exception via crash on malformed packet

Impact

Patches

Workarounds

Credits

For more information

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI