Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Critical vulnerability: Insufficient validation when decoding a Socket.IO packet

See original GitHub issue

Hello,

We are currently facing a critical vulnerability in our project that depends on karma. https://github.com/advisories/GHSA-qm95-pgcg-qqfq

Steps to reproduce: npm install npm audit

Console message:

├─ socket.io-parser: 4.0.4                                                                                                                                 
│  ├─ Issue: Insufficient validation when decoding a Socket.IO packet                                                                                      
│  ├─ URL: https://github.com/advisories/GHSA-qm95-pgcg-qqfq                                                                                               
│  ├─ Severity: critical                                                                                                                                   
│  ├─ Vulnerable Versions:                                                                                                                           
│  ├─ Patched Versions: >=4.0.5                                                                                                                            
│  ├─ Via: karma, karma-htmlfile-reporter, karma-jasmine-html-reporter                                                                                     
│  └─ Recommendation: Upgrade to version 4.0.5 or later

Thank you in advance.

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:8
  • Comments:10

github_iconTop GitHub Comments

1reaction
efogarasicommented, Nov 30, 2022

+1, we are also waiting for the patch version…

1reaction
AllForNothingcommented, Nov 17, 2022

+1, waiting for the patch version…

Read more comments on GitHub >

github_iconTop Results From Across the Web

Insufficient validation when decoding a Socket.IO packet
Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and ...
Read more >
Improper Input Validation in socket.io-parser | CVE-2022-2421
Affected versions of this package are vulnerable to Improper Input Validation. when parsing attachments containing untrusted user input.
Read more >
karma | npm - Open Source Insights
Insufficient validation when decoding a Socket.IO packet ... Insecure defaults due to CORS misconfiguration in socket.io.
Read more >
CVE - Search Results - MITRE
ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted ......
Read more >
vulnerabilities in npm dependencies - libup
... critical. Insufficient validation when decoding a Socket.IO packet advisory ... critical. json-schema is vulnerable to Prototype Pollution advisory ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Customize "files" option in Gruntfile

Next page

Angular 14 karma gets stuck after executing tests inside Gitlab Kubernetes Pod runner for ChromeHeadless and does not exit