You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
in the course of adding observability to openhab, I also stumbled across a few security vulnerabilites in frontail, I wanted to point out for whom it may concern.
Third-party DoS vulnerability (SNYK-JS-SOCKETIOPARSER-5596892): socket.io-parser is a socket.io protocol parser
Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation when decoding a packet. An attacker can send an event with a name like '2[{"toString":"foo"}]' to trigger an uncaught exception and a crash, like the below.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
For more information visit SNYK
Fix recommendation
Upgrade socket.io-parser to version 3.4.3, 4.2.3 or higher.
Third-party Uncaught Exception vulnerability (SNYK-JS-SOCKETIOPARSER-5596892): socket.io is a node.js realtime framework server.
Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process.
Fix recommendation
Upgrade socket.io to version 2.5.1, 4.6.2 or higher.
Third-party DoS vulnerability (SNYK-JS-ENGINEIO-3136336) engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server
Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process.
Fix recommendation
Upgrade engine.io to version 3.6.1, 6.2.1 or higher.
Third-party DoS vulnerability (SNYK-JS-WS-7266574) ws is a simple to use websocket client, server and console for node.js.
Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.
Hi all,
in the course of adding observability to openhab, I also stumbled across a few security vulnerabilites in frontail, I wanted to point out for whom it may concern.
Third-party DoS vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io-parser is a socket.io protocol parser
Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation when decoding a packet. An attacker can send an event with a name like '2[{"toString":"foo"}]' to trigger an uncaught exception and a crash, like the below.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
For more information visit SNYK
CVE: CVE-2023-32695
OWASP: 2021:A6
CWE: CWE-400
Affected processes
bin/frontail (frontail)
Fix recommendation
Upgrade socket.io-parser to version 3.4.3, 4.2.3 or higher.
Third-party Uncaught Exception vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io is a node.js realtime framework server.
Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process.
For more information visit SNYK
CVE: CVE-2024-38355
OWASP: 2021:A6
CWE: CWE-248
Affected processes:
bin/frontail (frontail)
Fix recommendation
Upgrade socket.io to version 2.5.1, 4.6.2 or higher.
Third-party DoS vulnerability (SNYK-JS-ENGINEIO-3136336)
engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server
Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process.
For more information visit SNYK
CVE: CVE-2022-41940
OWASP: 2021:A6
CWE: CWE-400
Affected processes:
bin/frontail (frontail)
Fix recommendation
Upgrade engine.io to version 3.6.1, 6.2.1 or higher.
Third-party DoS vulnerability (SNYK-JS-WS-7266574)
ws is a simple to use websocket client, server and console for node.js.
Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.
For more information visit SNYK
Node.js
CVE: CVE-2024-37890
OWASP: 2021:A6
CWE: CWE-400
Affected processes:
bin/frontail (frontail)
Fix recommendation
Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.
The text was updated successfully, but these errors were encountered: