CVE-2022-2421 CRITICAL

CVE-2022-2421: Socket.io - Improper type validation in attachment parsing

Vendor Socket.io

Product Socket.io-Parser

Weakness CWE-89 · SQLi

Published October 25, 2022

Last update March 11, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Key dates

02Disclosure timeline

October 25, 2022 CVE published

March 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-2421

Related vulnerabilities

04Related CVE

CVE-2025-5339 Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Time-Based SQL Injection via ‘bsa_pro_id' CVE-2025-25150 WordPress uListing plugin <= 2.1.6 - SQL Injection vulnerability CVE-2024-1197 SourceCodester Testimonial Page Manager HTTP GET Request delete-testimonial.php sql injection CVE-2024-23116 Centreon updateLCARelation SQL Injection Remote Code Execution Vulnerability CVE-2026-24854 Church CRM has SQL injection in PaddleNumEditor.php