#VU76616 Uncaught Exception in engine.io - CVE-2023-31125

Cybersecurity Help s.r.o.

Published: 2023-05-30 | Updated: 2023-06-16

Vulnerability identifier: #VU76616

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-31125

CWE-ID: CWE-248

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
engine.io
Other software / Other software solutions

Vendor: socket.io

Description

The vulnerability allows a remote user to perform denial of service attacks.

The vulnerability exists due to an uncaught exception. A remote user can send specially crafted HTTP request to trigger the vulnerability and perform denial of service attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

engine.io: 5.1.0 - 6.4.1

External links
https://github.com/socketio/engine.io/releases/tag/6.4.2
https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44
https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Answer Retrieval for Watson Discovery

Uncaught exception in IBM Decision Optimization for Cloud Pak for Data

Fedora 39 update for magicmirror

Multiple vulnerabilities in IBM Watson Knowledge Catalog for IBM Cloud Pak for Data

Uncaught exception in IBM App Connect Enterprise Certified Container

Multiple vulnerabilities in IBM Cloud Transformation Advisor