cbcvebase.
CVE-2023-37899
published 2023-07-19

CVE-2023-37899: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string…

PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.96%
57.2th percentile
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.

Affected

7 ranges
VendorProductVersion rangeFixed in
feathersjsfeathers< 4.5.184.5.18
feathersjsfeathers
feathersjsfeathers>= 5.0.0 < 5.0.85.0.8
feathersjssocketio>= 0 < 4.5.184.5.18
feathersjssocketio>= 5.0.0 < 5.0.85.0.8
feathersjstransport-commons>= 0 < 4.5.184.5.18
feathersjstransport-commons>= 5.0.0 < 5.0.85.0.8
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.