CVE-2023-37899

EUVD-2023-2077

19.07.2023, 20:15

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`.  A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Affected Products (NVD)

Vendor	Product	Version
feathersjs	feathers	𝑥 < 4.5.18
feathersjs	feathers	5.0.0 ≤ 𝑥 < 5.0.8

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-754 - Improper Check for Unusual or Exceptional Conditions
The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.

References

https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19

https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19

https://github.com/feathersjs/feathers/pull/3241

https://github.com/feathersjs/feathers/pull/3242

https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9

https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19

https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19

https://github.com/feathersjs/feathers/pull/3241

https://github.com/feathersjs/feathers/pull/3242

https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9