High severityNVD Advisory· Published Jul 19, 2023· Updated Oct 28, 2024
feathersjs socket handler allows abusing implicit toString
CVE-2023-37899
Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = ${{ toString: '' }} which would cause the NodeJS process to crash when sending an unexpected Socket.io message like socket.emit('find', { toString: '' }). A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@feathersjs/socketionpm | < 4.5.18 | 4.5.18 |
@feathersjs/socketionpm | >= 5.0.0, < 5.0.8 | 5.0.8 |
@feathersjs/transport-commonsnpm | < 4.5.18 | 4.5.18 |
@feathersjs/transport-commonsnpm | >= 5.0.0, < 5.0.8 | 5.0.8 |
Affected products
3- ghsa-coords2 versions
< 4.5.18+ 1 more
- (no CPE)range: < 4.5.18
- (no CPE)range: < 4.5.18
- Range: < 4.5.18
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-hhr9-rh25-hvf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37899ghsaADVISORY
- github.com/feathersjs/feathers/blob/crow/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/feathersjs/feathers/blob/dove/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8ghsaWEB
- github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821cghsaWEB
- github.com/feathersjs/feathers/pull/3241ghsax_refsource_MISCWEB
- github.com/feathersjs/feathers/pull/3242ghsax_refsource_MISCWEB
- github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.