Description

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Remediation

References

https://csirt.divd.nl/CVE-2022-2421

https://csirt.divd.nl/DIVD-2022-00045

Related Vulnerabilities

CVE-2020-14966 Vulnerability in npm package jsrsasign

CVE-2019-16776 Vulnerability in maven package org.webjars:npm

CVE-2021-32573 Vulnerability in npm package express-cart

CVE-2018-3721 Vulnerability in npm package lodash

CVE-2019-17359 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory NVD-CWE-noinfo