CVE-2022-21676

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.

### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. > RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear > at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) > at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) > at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) > at writeOrBuffer (internal/streams/writable.js:358:12) This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package starting from version `4.0.0`, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released for each major branch: | Version range | Fixed version | | --- | --- | | `engine.io@4.x.x` | `4.1.2` | | `engine.io@5.x.x` | `5.2.1` | | `engine.io@6.x.x` | `6.1.1` | Previous versions (`< 4.0.0`) are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | | --- | --- | --- | | `socket.io@4.4.x` | `~6.1.0` | - | `socket.io@4.3.x` | `~6.0.0` | Please upgrade to `socket.io@4.4.x` | `socket.io@4.2.x` | `~5.2.0` | - | `socket.io@4.1.x` | `~5.1.1` | Please upgrade to `socket.io@4.4.x` | `socket.io@4.0.x` | `~5.0.0` | Please upgrade to `socket.io@4.4.x` | `socket.io@3.1.x` | `~4.1.0` | - | `socket.io@3.0.x` | `~4.0.0` | Please upgrade to `socket.io@3.1.x` or `socket.io@4.4.x` (see [here](https://socket.io/docs/v4/migrating-from-3-x-to-4-0/)) In most cases, running `npm audit fix` should be sufficient. You can also use `npm update engine.io --depth=9999`. ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: * Open an issue in [`engine.io`](https://github.com/socketio/engine.io) Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. > RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear > at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) > at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) > at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) > at writeOrBuffer (internal/streams/writable.js:358:12) This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package starting from version `4.0.0`, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released for each major branch: | Version range | Fixed version | | --- | --- | | `engine.io@4.x.x` | `4.1.2` | | `engine.io@5.x.x` | `5.2.1` | | `engine.io@6.x.x` | `6.1.1` | Previous versions (`< 4.0.0`) are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | | --- | --- | --- | | `socket.io@4.4.x` | `~6.1.0` | - | `socket.io@4.3.x` | `~6.0.0` | Please upgrade to `socket.io@4.4.x` | `socket.io@4.2.x` | `~5.2.0` | - | `socket.io@4.1.x` | `~5.1.1` | Please upgrade to `socket.io@4.4.x` | `socket.io@4.0.x` | `~5.0.0` | Please upgrade to `socket.io@4.4.x` | `socket.io@3.1.x` | `~4.1.0` | - | `socket.io@3.0.x` | `~4.0.0` | Please upgrade to `socket.io@3.1.x` or `socket.io@4.4.x` (see [here](https://socket.io/docs/v4/migrating-from-3-x-to-4-0/)) In most cases, running `npm audit fix` should be sufficient. You can also use `npm update engine.io --depth=9999`. ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: * Open an issue in [`engine.io`](https://github.com/socketio/engine.io) Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Engine.IO es la implementación de la capa de comunicación bidireccional entre navegadores y dispositivos para Socket.IO. Una petición HTTP especialmente diseñada puede desencadenar una excepción no capturada en el servidor de Engine.IO, matando así el proceso de Node.js. Esto afecta a todos los usuarios del paquete "engine.io" a partir de la versión "4.0.0", incluyendo aquellos que usan paquetes dependientes como "socket.io". Las versiones anteriores a "4.0.0" no están afectadas. Ha sido publicado una corrección para cada rama principal, a saber, "4.1.2" para la rama "4.x.x", "5.2.1" para la rama "5.x.x", y "6.1.1" para la rama "6.x.x". No se presenta ninguna medida de mitigación conocida, excepto la actualización a una versión segura