VYPR
High severityNVD Advisory· Published Jan 12, 2022· Updated Apr 23, 2025

Uncaught Exception in engine.io

CVE-2022-21676

Description

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io. Versions prior to 4.0.0 are not impacted. A fix has been released for each major branch, namely 4.1.2 for the 4.x.x branch, 5.2.1 for the 5.x.x branch, and 6.1.1 for the 6.x.x branch. There is no known workaround except upgrading to a safe version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
engine.ionpm
>= 4.0.0, < 4.1.24.1.2
engine.ionpm
>= 5.0.0, < 5.2.15.2.1
engine.ionpm
>= 6.0.0, < 6.1.16.1.1

Affected products

2

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.