CVE-2020-36049
Denial of Service vulnerability in socket.io-parser (npm)
What is CVE-2020-36049 About?
The `socket.io-parser` npm package is vulnerable to a denial of service due to excessive memory consumption caused by large packet processing. An attacker can send a specially crafted large packet, leading to memory exhaustion and application crashes. This vulnerability is relatively easy to exploit if an attacker can send arbitrary data to the server.
Affected Software
- socket.io-parser
- >3.4.0, <3.4.1
- <3.3.2
Technical Details
The vulnerability exists in the socket.io-parser npm package, specifically before versions 3.3.2 and 3.4.1. The issue stems from its concatenation approach when handling incoming packets. If a large packet is received, the package’s internal mechanism for reconstructing or processing this packet, which likely involves string or buffer concatenation operations in a loop, can lead to uncontrolled memory allocation. An attacker can leverage this by sending an exceedingly large packet, causing the server to allocate an unreasonable amount of memory, eventually leading to memory exhaustion and a denial of service for the socket.io server instance.
What is the Impact of CVE-2020-36049?
Successful exploitation may allow attackers to cause a denial of service, leading to resource exhaustion, application crashes, and unavailability of the affected service.
What is the Exploitability of CVE-2020-36049?
Exploitation complexity is low. An attacker needs to be able to send large, specially crafted packets to a vulnerable socket.io server. No specific authentication or privilege is required to trigger this vulnerability, as it typically targets the public-facing socket.io endpoint. This is a remote attack. The primary prerequisite is that the application uses a vulnerable version of socket.io-parser and is exposed to untrusted network traffic. The risk is increased if the server does not implement robust input size limits or rate limiting for incoming socket.io packets.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36049?
About the Fix from Resolved Security
This patch resolves CVE-2020-36049 by using substring extraction instead of incrementally building strings with concatenation in the decodeString function. This prevents potential denial-of-service attacks caused by inefficient string concatenation in large or maliciously crafted packets, ensuring more robust and performant parsing of incoming messages.
Available Upgrade Options
- socket.io-parser
- <3.3.2 → Upgrade to 3.3.2
- socket.io-parser
- >3.4.0, <3.4.1 → Upgrade to 3.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/bcaller/kill-engine-io
- https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55
- https://blog.caller.xyz/socketio-engineio-dos/
- https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55
- https://github.com/bcaller/kill-engine-io
- https://nvd.nist.gov/vuln/detail/CVE-2020-36049
- https://github.com/socketio/socket.io-parser/releases/tag/3.3.2
- https://www.npmjs.com/package/socket.io-parser
- https://blog.caller.xyz/socketio-engineio-dos
- https://osv.dev/vulnerability/GHSA-xfhh-g9f5-x4m4
What are Similar Vulnerabilities to CVE-2020-36049?
Similar Vulnerabilities: CVE-2020-36048 , CVE-2020-36050 , CVE-2020-36051 , CVE-2020-36052 , CVE-2020-36053
