CVE-2023-31125: engine.io Uncaught Exception vulnerability

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
 at Server.onWebSocket (build/server.js:515:67)

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

A fix has been released today (2023/05/02): 6.4.2

This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.

For socket.io users:

• socket.io@4.6.x ~6.4.0 npm audit fix should be sufficient
• socket.io@4.5.x ~6.2.0 Please upgrade to socket.io@4.6.x
• socket.io@4.4.x ~6.1.0 Please upgrade to socket.io@4.6.x
• socket.io@4.3.x ~6.0.0 Please upgrade to socket.io@4.6.x
• socket.io@4.2.x ~5.2.0 Please upgrade to socket.io@4.6.x
• socket.io@4.1.x ~5.1.1 Please upgrade to socket.io@4.6.x
• socket.io@4.0.x ~5.0.0 Not impacted
• socket.io@3.1.x ~4.1.0 Not impacted
• socket.io@3.0.x ~4.0.0 Not impacted
• socket.io@2.5.0 ~3.6.0 Not impacted
• socket.io@2.4.x and below ~3.5.0 Not impacted

There is no known workaround except upgrading to a safe version.

If you have any questions or comments about this advisory open an issue in engine.io

Thanks to Thomas Rinsma from Codean for the responsible disclosure.