CVE-2022-41940
moderate-risk
Published 2022-11-22
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Do I need to act?
~
2.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Engine.Io
Affected Vendors
References (6)
31
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
5/34 · Minimal
Exposure
5/34 · Minimal