VYPR
← All advisories
Moderate severityNVD Advisory· Published May 8, 2023· Updated Feb 13, 2025

Uncaught exception in engine.io

CVE-2023-31125

Description

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who use depending packages like socket.io. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
engine.ionpm
>= 5.1.0, < 6.4.26.4.2

Affected products

1

Patches

1
fc480b4f305e

fix: prevent crash when provided with an invalid query param

https://github.com/socketio/engine.ioDamien ArrachequesneMay 1, 2023via ghsa
commit
3 files changed · +48 2
  • lib/server.ts+1 1 modified
    @@ -682,7 +682,7 @@ export class Server extends BaseServer {
 
     const res = new WebSocketResponse(req, socket);
     const callback = (errorCode, errorContext) => {
-      if (errorCode) {
+      if (errorCode !== undefined) {
         this.emit("connection_error", {
           req,
           code: errorCode,
  • lib/userver.ts+1 1 modified
    @@ -165,7 +165,7 @@ export class uServer extends BaseServer {
     req.res = res;
 
     const callback = async (errorCode, errorContext) => {
-      if (errorCode) {
+      if (errorCode !== undefined) {
         this.emit("connection_error", {
           req,
           code: errorCode,
  • test/server.js+46 0 modified
    @@ -11,6 +11,7 @@ const { ClientSocket, listen, createPartialDone } = require("./common");
 const expect = require("expect.js");
 const request = require("superagent");
 const cookieMod = require("cookie");
+const { WebSocket } = require("ws");
 
 /**
  * Tests.
@@ -197,6 +198,51 @@ describe("server", () => {
           });
       });
     });
+
+    it("should disallow `__proto__` as transport (polling)", (done) => {
+      const partialDone = createPartialDone(done, 2);
+
+      engine = listen((port) => {
+        engine.on("connection_error", (err) => {
+          expect(err.req).to.be.ok();
+          expect(err.code).to.be(0);
+          expect(err.message).to.be("Transport unknown");
+          expect(err.context.transport).to.be("__proto__");
+          partialDone();
+        });
+
+        request
+          .get(`http://localhost:${port}/engine.io/`)
+          .query({ transport: "__proto__", EIO: 4 })
+          .end((err, res) => {
+            expect(err).to.be.an(Error);
+            expect(res.status).to.be(400);
+            expect(res.body.code).to.be(0);
+            expect(res.body.message).to.be("Transport unknown");
+            partialDone();
+          });
+      });
+    });
+
+    it("should disallow `__proto__` as transport (websocket)", (done) => {
+      const partialDone = createPartialDone(done, 2);
+
+      engine = listen((port) => {
+        engine.on("connection_error", (err) => {
+          expect(err.req).to.be.ok();
+          expect(err.code).to.be(0);
+          expect(err.message).to.be("Transport unknown");
+          expect(err.context.transport).to.be("__proto__");
+          partialDone();
+        });
+
+        const socket = new WebSocket(
+          `ws://localhost:${port}/engine.io/?EIO=4&transport=__proto__`
+        );
+
+        socket.onerror = partialDone;
+      });
+    });
   });
 
   describe("handshake", () => {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.