CVE-2022-21676
Denial of Service vulnerability in engine.io (npm)
What is CVE-2022-21676 About?
The Engine.IO server (versions 4.0.0 and later) is vulnerable to a denial of service caused by an uncaught exception triggered by a specially crafted HTTP request. This exception can crash the Node.js process, making the server unavailable. Exploitation is relatively easy as it involves sending a specific malformed request.
Affected Software
- engine.io
- >6.0.0, <6.1.1
- >5.0.0, <5.2.1
- >4.0.0, <4.1.2
Technical Details
The vulnerability exists in the Engine.IO server, particularly within its underlying WebSocket message handling logic (specifically in the ws package's receiver.js). When a specially crafted HTTP request, designed to look like a malicious WebSocket frame, is sent to the Engine.IO server, it can bypass initial validation. Upon processing this malformed frame, the Receiver.getInfo or Receiver.startLoop functions attempt to parse invalid WebSocket frame flags (e.g., RSV2 and RSV3 being set incorrectly when they should be clear), leading to a RangeError: Invalid WebSocket frame. This error is uncaught at a critical level in the Engine.IO server, causing the entire Node.js process to terminate abruptly, thereby resulting in a denial of service.
What is the Impact of CVE-2022-21676?
Successful exploitation may allow attackers to cause a denial of service, leading to service disruption, application crashes, and unavailability of services that rely on Engine.IO or Socket.IO.
What is the Exploitability of CVE-2022-21676?
Exploitation complexity is low, requiring only the ability to send a specially crafted HTTP request to the vulnerable server. No authentication or specific privileges are needed, as the attack targets the core request handling. This is a remote vulnerability, where an attacker can send the payload over the network. The primary constraint is the existence of an actively running Engine.IO server (or applications like Socket.IO using it) in affected versions. Risk factors are high for any public-facing applications using vulnerable Engine.IO/Socket.IO versions, as the attack can be launched indiscriminately.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21676?
About the Fix from Resolved Security
Available Upgrade Options
- engine.io
- >4.0.0, <4.1.2 → Upgrade to 4.1.2
- engine.io
- >5.0.0, <5.2.1 → Upgrade to 5.2.1
- engine.io
- >6.0.0, <6.1.1 → Upgrade to 6.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab
- https://security.netapp.com/advisory/ntap-20220209-0002/
- https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f
- https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f
- https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c
- https://osv.dev/vulnerability/GHSA-273r-mgr4-v34f
- https://github.com/socketio/engine.io/releases/tag/4.1.2
- https://github.com/socketio/engine.io/releases/tag/5.2.1
- https://github.com/socketio/engine.io/releases/tag/4.1.2
- https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c
What are Similar Vulnerabilities to CVE-2022-21676?
Similar Vulnerabilities: CVE-2018-16460 , CVE-2019-10747 , CVE-2020-26233 , CVE-2021-23398 , CVE-2021-23424
