7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32695

GHSA ID

GHSA-cqmj-92xf-r6r9

EPSS Score

0.37977%

CWE

CWE-20

Published

5/23/2023

Updated

11/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32695

CVE-2023-32695:
Insufficient validation when decoding a Socket.IO packet

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

| socket.io version | socket.io-parser version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | 4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient | | 4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x | | 2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32695

GHSA ID

GHSA-cqmj-92xf-r6r9

EPSS Score

0.37977%

CWE

CWE-20

Published

5/23/2023

Updated

11/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
socket.io-parser	npm	>= 3.4.0, < 3.4.3	3.4.3
socket.io-parser	npm	>= 4.0.4, < 4.2.3	4.2.3
socket.io-parser	npm	< 3.3.4	3.3.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient input validation in Socket.IO's packet decoding logic. Patches introduced the isPayloadValid() function to enforce strict type checks on event names. The decodeString function (called by Decoder.add) previously allowed arrays with non-primitive first elements as event names. When such malformed packets were emitted via Socket.emit(), JavaScript's type coercion failed, causing uncaught exceptions. The commit diffs show these functions were modified to add validation, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * sp**i*lly *r**t** So*k*t.IO p**k*t **n tri***r *n un**u**t *x**ption on t** So*k*t.IO s*rv*r, t*us killin* t** No**.js pro**ss. ``` Typ**rror: **nnot *onv*rt o*j**t to primitiv* v*lu* *t So*k*t.*mit (no**:*v*nts:***:**) *

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion in So*k*t.IO's p**k*t ***o*in* lo*i*. P*t***s intro*u*** t** `isP*ylo**V*li*()` *un*tion to *n*or** stri*t typ* ****ks on *v*nt n*m*s. T** `***o**Strin*` *un*tion (**ll** *y `***o**r.***`) pr

7.3

Basic Information

Concerned about an active attack path?

CVE-2023-32695: Insufficient validation when decoding a Socket.IO packet

Impact

Patches

Workarounds

For more information

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-32695:
Insufficient validation when decoding a Socket.IO packet

Vulnerability Intelligence
Miggo AI