Home > Vulnerability Database > CVE-2022-2421

Mend.io Vulnerability Database

CVE-2022-2421

Good to know:

Date: October 24, 2022

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Language: JS

Severity Score

10.0

Related Resources (11)

Url: https://csirt.divd.nl/cves/CVE-2022-2421

Url: https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4

Url: https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983

Url: https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050

Url: https://github.com/socketio/socket.io-parser

Url: https://csirt.divd.nl/cases/DIVD-2022-00045

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-2421

Url: https://csirt.divd.nl/CVE-2022-2421

Url: https://csirt.divd.nl/DIVD-2022-00045

Url: https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14

Url: https://www.mend.io/vulnerability-database/CVE-2022-2421

Severity Score

10.0

Weakness Type (CWE)

Input Validation

CWE-20

SQL Injection

CWE-89

Insufficient Information

NVD-CWE-noinfo

Improper Validation of Specified Type of Input

CWE-1287

Top Fix

Upgrade Version

Upgrade to version socket.io-parser - 3.3.3,3.4.2,4.0.5,4.2.1;org.webjars.npm:socket.io-parser:4.0.5,4.2.1

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-2421

Good to know:

Date: October 24, 2022

Language: JS

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?