CVE-2023-37899
published 2023-07-19CVE-2023-37899: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.96%
57.2th percentile
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| feathersjs | feathers | < 4.5.18 | 4.5.18 |
| feathersjs | feathers | — | — |
| feathersjs | feathers | >= 5.0.0 < 5.0.8 | 5.0.8 |
| feathersjs | socketio | >= 0 < 4.5.18 | 4.5.18 |
| feathersjs | socketio | >= 5.0.0 < 5.0.8 | 5.0.8 |
| feathersjs | transport-commons | >= 0 < 4.5.18 | 4.5.18 |
| feathersjs | transport-commons | >= 5.0.0 < 5.0.8 | 5.0.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Feathers socket handler allows abusing implicit toString
ghsa·2023-07-20
CVE-2023-37899 [HIGH] CWE-754 Feathers socket handler allows abusing implicit toString
Feathers socket handler allows abusing implicit toString
### Impact
Feathers socket handler did not catch invalid string conversion errors like:
```ts
const message = `${{ toString: '' }}`
```
Causing the NodeJS process to crash when sending an unexpected Socket.io message like
```ts
socket.emit('find', { toString: '' })
```
### Patches
A fix has been released in
- `v5.0.8` via #3241
- `v4.5.18` via #3242
### Workarounds
Since it is in the core Socket handling code upgrading to the latest version is necessary.
### References
- [v5.0.8 Changelog](https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19)
- [v4.5.18 Changelog](https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19)
OSV
Feathers socket handler allows abusing implicit toString
osv·2023-07-20
CVE-2023-37899 [HIGH] Feathers socket handler allows abusing implicit toString
Feathers socket handler allows abusing implicit toString
### Impact
Feathers socket handler did not catch invalid string conversion errors like:
```ts
const message = `${{ toString: '' }}`
```
Causing the NodeJS process to crash when sending an unexpected Socket.io message like
```ts
socket.emit('find', { toString: '' })
```
### Patches
A fix has been released in
- `v5.0.8` via #3241
- `v4.5.18` via #3242
### Workarounds
Since it is in the core Socket handling code upgrading to the latest version is necessary.
### References
- [v5.0.8 Changelog](https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19)
- [v4.5.18 Changelog](https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19https://github.com/feathersjs/feathers/pull/3241https://github.com/feathersjs/feathers/pull/3242https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19https://github.com/feathersjs/feathers/pull/3241https://github.com/feathersjs/feathers/pull/3242https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9
2023-07-19
Published