Version Details and Security Vulnerabilities

📦

@artilleryio/int-core

1.0.0

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.0.0 of the package @artilleryio/int-core.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.0.0 of the package

Summary:

Server-Side Request Forgery in Request

Details:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Details about request@2.88.2

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@3.1.2

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.5.x | ~6.2.0 | npm audit fix should be sufficient | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.5.x | | socket.io@4.0.x | ~5.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@3.1.x | ~4.1.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@3.0.x | ~4.0.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@2.5.0 | ~3.6.0 | npm audit fix should be sufficient | | socket.io@2.4.x and below | ~3.5.0 | Please upgrade to socket.io@2.5.0 |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@4.1.2

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

| socket.io version | socket.io-parser version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | 4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient | | 4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x | | 2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Details about socket.io-parser@4.0.5

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.0.0 of the package @artilleryio/int-core.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.0.0 of the package

Summary:

Server-Side Request Forgery in Request

Details:

NOTE: The request package is no longer supported by the maintainer.

Details about request@2.88.2

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@3.1.2

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@4.1.2

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Details about socket.io-parser@4.0.5

Version Details and Security Vulnerabilities

@artilleryio/int-core

Security Vulnerabilities

Version Details and Security Vulnerabilities

@artilleryio/int-core

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

request@2.88.2 GHSA-p8p7-x288-28g6 6.1

socket.io@3.1.2 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

engine.io@4.1.2 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

socket.io-parser@4.0.5 GHSA-cqmj-92xf-r6r9 6.9

Impact

Patches

Workarounds

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

request@2.88.2 GHSA-p8p7-x288-28g6 6.1

socket.io@3.1.2 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

engine.io@4.1.2 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

socket.io-parser@4.0.5 GHSA-cqmj-92xf-r6r9 6.9

Impact

Patches

Workarounds

For more information