CVE-2023-37899 HIGH

CVE-2023-37899: feathersjs socket handler allows abusing implicit toString

Vendor Feathersjs
Product feathers
Weakness CWE-754
Published July 19, 2023
Last update October 28, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.

Key dates

02Disclosure timeline

July 19, 2023 CVE published
October 28, 2024 Record updated