CVE-2022-41940
Denial of Service vulnerability in engine.io (npm)
What is CVE-2022-41940 About?
This is a Denial of Service (DoS) vulnerability in Engine.IO servers, including those used by Socket.IO, where a specially crafted HTTP request can trigger an uncaught exception. This leads to the Node.js process terminating, causing service disruption. The exploitation is relatively simple as it only requires sending a specific HTTP request.
Affected Software
- engine.io
- >4.0.0, <6.2.1
- <3.6.1
Technical Details
The vulnerability resides within Engine.IO, where a specially crafted HTTP request can lead to an uncaught exception, specifically an 'Error: read ECONNRESET'. This error indicates an unexpected connection reset during a read operation, likely triggered by a malformed request that the server's HTTP parser or Engine.IO's underlying request handling cannot gracefully process. When this uncaught exception occurs, the Node.js event loop terminates the entire process, as per Node.js's default error handling for unhandled exceptions, effectively causing a Denial of Service for all connected clients and preventing further connections until the process is restarted.
What is the Impact of CVE-2022-41940?
Successful exploitation may allow attackers to crash the server application, leading to a complete denial of service for all users and requiring manual intervention to restore service.
What is the Exploitability of CVE-2022-41940?
Exploitation of this Denial of Service vulnerability is of low complexity, as it primarily involves sending a specially crafted HTTP request to the vulnerable Engine.IO server. No specific authentication or elevated privileges are required, making it an unauthenticated attack. The attack is inherently remote, as it targets a network-accessible service. There are no special conditions or constraints beyond the attacker's ability to send HTTP requests to the target. Deployments exposing engine.io or socket.io instances to untrusted networks without robust input validation or error handling are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41940?
About the Fix from Resolved Security
This patch adds an error event handler to sockets during the upgrade destroy timeout, which prevents uncaught exceptions if the socket encounters an error (such as being abruptly closed) during this period. This change mitigates CVE-2022-41940, which was a denial of service vulnerability caused by uncaught exceptions from socket errors that could crash the Node.js process.
Available Upgrade Options
- engine.io
- <3.6.1 → Upgrade to 3.6.1
- engine.io
- >4.0.0, <6.2.1 → Upgrade to 6.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
- https://github.com/socketio/engine.io
- https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
- https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
- https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
- https://osv.dev/vulnerability/GHSA-r7qp-cfhv-p84w
- https://nvd.nist.gov/vuln/detail/CVE-2022-41940
What are Similar Vulnerabilities to CVE-2022-41940?
Similar Vulnerabilities: CVE-2021-32803 , CVE-2020-8178 , CVE-2019-10744 , CVE-2017-1000378 , CVE-2016-1000213
