DIVD-2022-00045 - Injection vulnerability found within Socket.io

Our reference DIVD-2022-00045
Case lead Ralph Horn
Author Victor Pasman
Researcher(s)
CVE(s)
Product Socket.io
Versions 4.x < 4.2.1
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Status Open
Last modified 28 Oct 2022 13:14

Summary

By leveraging the vulnerabilities, an unauthenticated attacker with network access to the application using Socket.io can execute arbitrary system commands.

What you can do

We recommend to use the latest version of Socket.io

What we are doing

Timeline

Date Description
29 Apr 2022 Vulnerability discovered by Thomas Rinsma from Codean.
25 May 2022 Testing by DIVD conforms that the vulnerabilities are still present in the product.
27 Jun 2022 Vendor releases new update and asks us to retest vulnerabilities.
13 Jul 2022 We confirm vulnerabilities have been fixed.
25 Oct 2022 Limited Disclosure
gantt title DIVD-2022-00045 - Injection vulnerability found within Socket.io dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00045 - Injection vulnerability found within Socket.io (still open) :2022-04-29, 2023-04-03 section Events Vulnerability discovered by Thomas Rinsma from Codean. : milestone, 2022-04-29, 0d Testing by DIVD conforms that the vulnerabilities are still present in the product. : milestone, 2022-05-25, 0d Vendor releases new update and asks us to retest vulnerabilities. : milestone, 2022-06-27, 0d We confirm vulnerabilities have been fixed. : milestone, 2022-07-13, 0d Limited Disclosure : milestone, 2022-10-25, 0d

More information