A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
> at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
> at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
> at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
> at writeOrBuffer (internal/streams/writable.js:358:12)
This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.
A fix has been released for each major branch:
| Version range | Fixed version |
|---|---|
[email protected] |
4.1.2 |
[email protected] |
5.2.1 |
[email protected] |
6.1.1 |
Previous versions (< 4.0.0) are not impacted.
For socket.io users:
| Version range | engine.io version |
Needs minor update? |
|---|---|---|
[email protected] |
~6.1.0 |
- |
[email protected] |
~6.0.0 |
Please upgrade to [email protected] |
[email protected] |
~5.2.0 |
- |
[email protected] |
~5.1.1 |
Please upgrade to [email protected] |
[email protected] |
~5.0.0 |
Please upgrade to [email protected] |
[email protected] |
~4.1.0 |
- |
[email protected] |
~4.0.0 |
Please upgrade to [email protected] or [email protected] (see here) |
In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
engine.ioThanks to Marcus Wejderot from Mevisio for the responsible disclosure.
| Score | Percentile |
|---|---|
| 4.11% | 88.51% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-273r-mgr4-v34f ↗ |
| CVE | CVE-2022-21676 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | engine.io | >= 4.0.0, < 4.1.2 | 4.1.2 | — |
| npm | engine.io | >= 5.0.0, < 5.2.1 | 5.2.1 | — |
| npm | engine.io | >= 6.0.0, < 6.1.1 | 6.1.1 | — |