Main Vulnerability Database Vulnerabilities #VU77489

#VU77489 Uncaught Exception in engine.io - CVE-2022-41940

Published: June 16, 2023

Vulnerability identifier: #VU77489

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-41940

CWE-ID: CWE-248

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
engine.io

Software vendor:
socket.io

Description

The vulnerability allows a remote user to perform denial of service attacks.

The vulnerability exists due to an uncaught exception. A remote user can send specially crafted HTTP request to trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

Remediation

Install updates from vendor's website.

External links

https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w

#VU77489 Uncaught Exception in engine.io - CVE-2022-41940

Description

Remediation

External links

Please verify you're human