Fixing CVE-2023-32695 on 3.3.x by arnaufugarolas · Pull Request #125 · socketio/socket.io-parser · GitHub
Skip to content

Fixing CVE-2023-32695 on 3.3.x#125

Merged
darrachequesne merged 1 commit into
socketio:3.3.xfrom
arnaufugarolas:3.3.x
Jul 22, 2024
Merged

Fixing CVE-2023-32695 on 3.3.x#125
darrachequesne merged 1 commit into
socketio:3.3.xfrom
arnaufugarolas:3.3.x

Conversation

@arnaufugarolas

Copy link
Copy Markdown

Description

Fixing CVE-2023-32695 on 3.3.X

Backported from 3.4.X

A packet like '2[{"toString":"foo"}]' was decoded as:

{
  type: EVENT,
  data: [ { "toString": "foo" } ]
}

Which would then throw an error when passed to the EventEmitter class:

> TypeError: Cannot convert object to primitive value
>    at Socket.emit (node:events:507:25)
>    at .../node_modules/socket.io/lib/socket.js:531:14

Backported from [socketio/socket.io-devalue-parser@2dc3c92](2dc3c92)
@arnaufugarolas arnaufugarolas changed the title Fixing CVE-2023-32695 Fixing CVE-2023-32695 on 3.3.x Oct 9, 2023
@arnaufugarolas

Copy link
Copy Markdown
Author

@darrachequesne darrachequesne merged commit ee00660 into socketio:3.3.x Jul 22, 2024
@darrachequesne

Copy link
Copy Markdown
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants