CVE-2023-31125
Denial of Service vulnerability in engine.io (npm)
What is CVE-2023-31125 About?
This vulnerability is a Denial of Service (DoS) in the Engine.IO server, impacting all users including Socket.IO, caused by a specially crafted HTTP request triggering an uncaught exception. Successful exploitation leads to the termination of the Node.js process, making the service unavailable. Exploitation is relatively easy as it only requires sending a specific malformed HTTP request.
Affected Software
Technical Details
The vulnerability in Engine.IO (introduced in version 5.1.0) allows a specially crafted HTTP request to trigger an uncaught TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') exception on the server. This exception, being uncaught, causes the entire Node.js process to crash and terminate. The specific structure of the HTTP request that leads to this error is not fully detailed but targets the Server.onWebSocket function at a particular line (build/server.js:515:67), suggesting an issue with how certain properties or configurations related to WebSocket upgrades are accessed or handled by the server when presented with unexpected or malicious input.
What is the Impact of CVE-2023-31125?
Successful exploitation may allow attackers to terminate the Node.js process running the Engine.IO server, leading to a denial of service for all connected clients and services.
What is the Exploitability of CVE-2023-31125?
Exploiting this vulnerability involves sending a specially crafted HTTP request to the Engine.IO server. The complexity is low, as it's a direct trigger by a malicious request. No authentication is required, meaning an unauthenticated attacker with network access to the server can exploit it. There are no specific privilege requirements. The attack is purely remote, executed by sending network packets. The critical condition is that the server must be running a vulnerable version of Engine.IO (specifically versions that include this bug from 5.1.0 onwards up to the patch). Risk factors are significantly increased if the Engine.IO server (or a dependent package like Socket.IO) is exposed to the internet or untrusted networks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-31125?
About the Fix from Resolved Security
This patch changes the condition from checking if errorCode (which treats falsy values like 0 as not an error) to if errorCode !== undefined, ensuring all error codes, including 0, trigger the error handler. This fixes CVE-2023-31125 by correctly handling the case where an attacker specifies __proto__ as a transport value, which previously could bypass connection error handling due to error code 0 being treated as falsy and ignored.
Available Upgrade Options
- engine.io
- >5.1.0, <6.4.2 → Upgrade to 6.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20230622-0002/
- https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44
- https://security.netapp.com/advisory/ntap-20230622-0002
- https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5
- https://nvd.nist.gov/vuln/detail/CVE-2023-31125
- https://osv.dev/vulnerability/GHSA-q9mw-68c2-j6m5
- https://github.com/socketio/engine.io
- https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44
- https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5
- https://github.com/socketio/engine.io/releases/tag/6.4.2
What are Similar Vulnerabilities to CVE-2023-31125?
Similar Vulnerabilities: CVE-2022-25911 , CVE-2022-37601 , CVE-2023-28840 , CVE-2023-32732 , CVE-2022-36070
