CVE-2022-41940

MEDIUM
Published Nov 22, 20223y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Nov 22, 2022 3y ago
Last Modified Jun 17, 2026 2w ago

Description

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-248

Affected Products 2

VendorProductVersionRange
socketengine.io* <3.6.1
socketengine.io*≥4.0.0  –  <6.2.1

References 3

  • github.com https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
    PatchThird Party Advisory
  • github.com https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
    PatchThird Party Advisory
  • github.com https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
    PatchThird Party Advisory
  • github.com https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
    PatchThird Party Advisory