VYPR
Moderate severityNVD Advisory· Published May 8, 2023· Updated Feb 13, 2025

Uncaught exception in engine.io

CVE-2023-31125

Description

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who use depending packages like socket.io. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
engine.ionpm
>= 5.1.0, < 6.4.26.4.2

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.