CVE-2022-2421

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-2421

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2421.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-2421

Aliases

GHSA-qm95-pgcg-qqfq

Published

2022-10-26T10:15:16.780Z

Modified

2026-03-13T05:31:39.313295Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

References

Affected packages

Git / github.com/socketio/socket.io-parser

Affected ranges

Type

GIT

Repo

https://github.com/socketio/socket.io-parser

Events

Introduced

Fixed

cd11e38e1a3e2146617bc586f86512605607b212

Introduced

652402a8568c2138da3c27c96756b32efca6c4bf

Fixed

4b3c191bc411578099c8dd35499d8c7a75860192

Introduced

c04d7f5c47ed712eb0f56cfc1a859f1aaa828f1e

Fixed

f3329eb5a46b215a3fdf91b6008c56cf177a4124

Introduced

5ad3e5cc4b16326e3def2b834bd90c0424bfdd83

Fixed

5a2ccff9d1d8fdbadd3faad9290a9e3b165cf9a2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.3"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.2"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.5"
        },
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.2.1"
        }
    ]
}

Affected versions

3.*

3.4.0

3.4.1

4.*

4.0.0

4.0.1

4.0.1-rc1

4.0.1-rc2

4.0.1-rc3

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.2.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2421.json"