Critical severity10.0NVD Advisory· Published Oct 26, 2022· Updated Jun 17, 2026
CVE-2022-2421
CVE-2022-2421
Description
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
socket.io-parsernpm | >= 4.0.0, < 4.0.5 | 4.0.5 |
socket.io-parsernpm | >= 4.1.0, < 4.2.1 | 4.2.1 |
socket.io-parsernpm | < 3.3.3 | 3.3.3 |
socket.io-parsernpm | >= 3.4.0, < 3.4.2 | 3.4.2 |
Affected products
2- Range: 4.x
Patches
Vulnerability mechanics
References
10- csirt.divd.nl/CVE-2022-2421nvdThird Party AdvisoryWEB
- csirt.divd.nl/DIVD-2022-00045nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-qm95-pgcg-qqfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2421ghsaADVISORY
- csirt.divd.nl/cases/DIVD-2022-00045ghsaWEB
- csirt.divd.nl/cves/CVE-2022-2421ghsaWEB
- github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14ghsaWEB
- github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4ghsaWEB
- github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050ghsaWEB
- github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983ghsaWEB
News mentions
0No linked articles in our index yet.