VYPR
High severityNVD Advisory· Published Jul 19, 2023· Updated Oct 28, 2024

feathersjs socket handler allows abusing implicit toString

CVE-2023-37899

Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = ${{ toString: '' }} which would cause the NodeJS process to crash when sending an unexpected Socket.io message like socket.emit('find', { toString: '' }). A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@feathersjs/socketionpm
< 4.5.184.5.18
@feathersjs/socketionpm
>= 5.0.0, < 5.0.85.0.8
@feathersjs/transport-commonsnpm
< 4.5.184.5.18
@feathersjs/transport-commonsnpm
>= 5.0.0, < 5.0.85.0.8

Affected products

3

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.