CVE-2023-32695
Denial of Service vulnerability in socket.io-parser (npm)
What is CVE-2023-32695 About?
A specially crafted Socket.IO packet can trigger an uncaught exception in the Socket.IO server, leading to a Denial of Service. This vulnerability causes the Node.js process to crash, rendering the server unavailable. Exploitation is relatively easy for an attacker who can send malicious Socket.IO packets.
Affected Software
- socket.io-parser
- >3.4.0, <3.4.3
- <3.3.4
- >4.0.4, <4.2.3
Technical Details
The vulnerability is triggered by a specially crafted Socket.IO packet that, when processed by the server, results in an uncaught exception. The provided stack trace, TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at .../node_modules/socket.io/lib/socket.js:531:14, indicates that the issue occurs during an emit operation within the Socket object in Socket.IO. This TypeError typically arises when an operation expects a primitive value (like a string or number) but receives an object instead, and the system attempts an illegal conversion. In this context, it suggests that the malicious packet manipulates data in a way that causes socket.js to pass an object to an emit call where a primitive is expected, thus crashing the Node.js process hosting the Socket.IO server.
What is the Impact of CVE-2023-32695?
Successful exploitation may allow attackers to cause a denial of service, making the Socket.IO server and any dependent services unavailable to legitimate users.
What is the Exploitability of CVE-2023-32695?
Exploitation of this vulnerability is of low to moderate complexity. An attacker needs to be able to establish a connection to the Socket.IO server and send a specially crafted packet. No specific authentication or high privileges are mentioned, implying that any client capable of connecting to the Socket.IO endpoint could potentially exploit this. This is a remote vulnerability, as the attack is initiated by sending network packets to the server. The primary prerequisite is an accessible Socket.IO server running a vulnerable version. The ease of exploitation is increased by the direct impact of a single malformed packet on server availability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-32695?
About the Fix from Resolved Security
The patch updates payload validation for event packets to ensure the first element is a string or number, preventing malformed arrays such as objects or non-primitive types. This fixes CVE-2023-32695 by blocking crafted payloads that could trigger unexpected behavior or security flaws in downstream event handling.
Available Upgrade Options
- socket.io-parser
- <3.3.4 → Upgrade to 3.3.4
- socket.io-parser
- >3.4.0, <3.4.3 → Upgrade to 3.4.3
- socket.io-parser
- >4.0.4, <4.2.3 → Upgrade to 4.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-cqmj-92xf-r6r9
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3
- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3
- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced
- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
- https://github.com/socketio/socket.io-parser
- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3
- https://nvd.nist.gov/vuln/detail/CVE-2023-32695
- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4
What are Similar Vulnerabilities to CVE-2023-32695?
Similar Vulnerabilities: CVE-2023-34104 , CVE-2023-28867 , CVE-2022-23473 , CVE-2021-41133 , CVE-2021-23358
