CVE-2023-37899: Improper Check for Unusual or Exceptional Conditions
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler does not catch invalid string conversion errors like const message = ${{ toString: '' }} which would cause the NodeJS process to crash when sending an unexpected Socket.io message like socket.emit('find', { toString: '' }). A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
References
- github.com/advisories/GHSA-hhr9-rh25-hvf9
- github.com/feathersjs/feathers/blob/crow/CHANGELOG.md
- github.com/feathersjs/feathers/blob/dove/CHANGELOG.md
- github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8
- github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821c
- github.com/feathersjs/feathers/pull/3241
- github.com/feathersjs/feathers/pull/3242
- github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
- nvd.nist.gov/vuln/detail/CVE-2023-37899
Detect and mitigate CVE-2023-37899 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →