CVE-2022-41940 HIGH

CVE-2022-41940: Uncaught exception in engine.io

Vendor Socketio
Product engine.io
Weakness CWE-248
Published November 22, 2022
Last update April 22, 2025
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

What the vulnerability does

01Description

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

Key dates

02Disclosure timeline

November 22, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-42447 blurhash panics on parsing crafted inputs CVE-2026-46689 Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion CVE-2025-24836 Qardio Heart Health IOS and Android Application and QardioARM A100 Uncaught Exception CVE-2025-3891 Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled CVE-2025-8870 On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.