CVE-2022-2421

Socket.io - Improper type validation in attachment parsing

CVE

CVE-2022-2421

Title

Socket.io - Improper type validation in attachment parsing

Case

DIVD-2022-00045

Credits

Discovered by Thomas Rinsma (Codean) (finder)

Affected products

Product	Affected	Unaffected	Unknown
Socket.io Socket.io-Parser	>= 4.x to < 4.2.1 (custom)
Socket.io Socket.io-Parser

CVSS

Base score: 10 (CRITICAL)

References

https://csirt.divd.nl/CVE-2022-2421 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2022-00045 ( third-party-advisory )

Problem type(s)

CWE-89 SQL Injection

Date published

24 Oct 2022 22:00 UTC

Last modified

02 Jan 2024 18:32 UTC

Description

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

JSON version.

DIVD CSIRT

CVE-2022-2421

Socket.io - Improper type validation in attachment parsing

Description