Skip to content

Fix CVE–2022–2421#45

Open
debricked[bot] wants to merge 1 commit intodebricked-fix-CVE_2020_15366-a74f6987ddd3b7d1from
debricked-fix-CVE_2022_2421-5be58b00bd2d2e79
Open

Fix CVE–2022–2421#45
debricked[bot] wants to merge 1 commit intodebricked-fix-CVE_2020_15366-a74f6987ddd3b7d1from
debricked-fix-CVE_2022_2421-5be58b00bd2d2e79

Conversation

@debricked
Copy link

@debricked debricked bot commented Dec 13, 2022

CVE–2022–2421

Vulnerability details

Description

NVD

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

GitHub

Insufficient validation when decoding a Socket.IO packet

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Example:

const decoder = new Decoder();

decoder.on("decoded", (packet) => {
 console.log(packet.data); // prints [ 'hello', [Function: splice] ]
})

decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');
decoder.add(Buffer.from("world"));

This bubbles up in the socket.io package:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // here, "val" could be a function instead of a buffer
 });
});

⚠️ IMPORTANT NOTE ⚠️

You need to make sure that the payload that you received from the client is actually a Buffer object:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 if (!Buffer.isBuffer(val)) {
 socket.disconnect();
 return;
 }
 // ...
 });
});

If that's already the case, then you are not impacted by this issue, and there is no way an attacker could make your server crash (or escalate privileges, ...).

Example of values that could be sent by a malicious user:

  • a number that is out of bounds

Sample packet: 451-["hello",{"_placeholder":true,"num":10}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});
  • a value that is not a number, like undefined

Sample packet: 451-["hello",{"_placeholder":true,"num":undefined}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});
  • a string that is part of the prototype of Array, like "push"

Sample packet: 451-["hello",{"_placeholder":true,"num":"push"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "push" function
 });
});
  • a string that is part of the prototype of Object, like "hasOwnProperty"

Sample packet: 451-["hello",{"_placeholder":true,"num":"hasOwnProperty"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "hasOwnProperty" function
 });
});

This should be fixed by:

Dependency analysis for the socket.io package

socket.io version socket.io-parser version Covered?
4.5.2...latest ~4.2.0 (ref) Yes ✔️
4.1.3...4.5.1 ~4.0.4 (ref) Yes ✔️
3.0.5...4.1.2 ~4.0.3 (ref) Yes ✔️
3.0.0...3.0.4 ~4.0.1 (ref) Yes ✔️
2.3.0...2.5.0 ~3.4.0 (ref) Yes ✔️

Dependency analysis for the socket.io-client package

socket.io-client version socket.io-parser version Covered?
4.5.0...latest ~4.2.0 (ref) Yes ✔️
4.3.0...4.4.1 ~4.1.1 (ref) No, but the impact is very limited
3.1.0...4.2.0 ~4.0.4 (ref) Yes ✔️
3.0.5 ~4.0.3 (ref) Yes ✔️
3.0.0...3.0.4 ~4.0.1 (ref) Yes ✔️
2.2.0...2.5.0 ~3.3.0 (ref) Yes ✔️
CVSS details - 9.8

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
References

    Insufficient validation when decoding a Socket.IO packet · CVE-2022-2421 · GitHub Advisory Database · GitHub
    NVD - CVE-2022-2421
    Socket.io - Improper type validation in attachment parsing | DIVD CSIRT
    DIVD-2022-00045 - Injection vulnerability found within Socket.io | DIVD CSIRT
    fix: check the format of the index of each attachment · socketio/socket.io-parser@b559f05 · GitHub
    fix: check the format of the index of each attachment · socketio/socket.io-parser@b5d0cb7 · GitHub
    fix: check the format of the index of each attachment · socketio/socket.io-parser@04d23ce · GitHub
    fix: check the format of the index of each attachment · socketio/socket.io-parser@fb21e42 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants