QwikSec

Security Database

CVE

CWE

Training

CVE-2023-37899

Published: Jul 19, 2023

Modified: Oct 28, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.

Vendor	Product	Versions
feathersjs	feathers	affected `< 4.5.18` affected `>= 5.0.0, < 5.0.8`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9

x_refsource_CONFIRM

https://github.com/feathersjs/feathers/pull/3241

x_refsource_MISC

https://github.com/feathersjs/feathers/pull/3242

x_refsource_MISC

https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19

x_refsource_MISC

https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.