#VU77489 Uncaught Exception in engine.io - CVE-2022-41940

Cybersecurity Help s.r.o.

Published: 2023-06-16

Vulnerability identifier: #VU77489

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-41940

CWE-ID: CWE-248

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
engine.io
Other software / Other software solutions

Vendor: socket.io

Description

The vulnerability allows a remote user to perform denial of service attacks.

The vulnerability exists due to an uncaught exception. A remote user can send specially crafted HTTP request to trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

engine.io: 4.0.0 - 6.2.0

External links
https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Answer Retrieval for Watson Discovery

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Multiple vulnerabilities in Fuse 7

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Uncaught exception inj IBM App Connect Enterprise Certified Container