CVE-2023-32695
📋 TL;DR
CVE-2023-32695 is a denial-of-service vulnerability in socket.io-parser where a specially crafted Socket.IO packet triggers an uncaught exception, crashing the Node.js server process. This affects any application using vulnerable versions of socket.io-parser as part of Socket.IO server implementations. The vulnerability allows remote attackers to disrupt service availability without authentication.
💻 Affected Systems
- socket.io-parser
- socket.io
- Any application using socket.io server with vulnerable parser
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with Node.js process termination, requiring manual restart and causing extended downtime.
Likely Case
Service disruption and downtime until the process is restarted, potentially affecting all connected clients.
If Mitigated
Minimal impact if proper process monitoring and auto-restart mechanisms are in place.
🎯 Exploit Status
Exploitation requires sending a specially crafted Socket.IO packet to the server. No authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: socket.io-parser 4.2.3
Vendor Advisory: https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
Restart Required: Yes
Instructions:
1. Update socket.io-parser dependency to version 4.2.3 or higher. 2. Update package.json to specify 'socket.io-parser': '>=4.2.3'. 3. Run npm update or yarn update. 4. Restart the Node.js application.
🔧 Temporary Workarounds
Process Monitoring and Auto-restart
allImplement process monitoring with auto-restart to minimize downtime from crashes
Use PM2: pm2 start app.js --name 'socket-app'
Use systemd with Restart=always
Use forever: forever start app.js
🧯 If You Can't Patch
- Implement network filtering to block or rate-limit Socket.IO traffic from untrusted sources
- Deploy the application behind a reverse proxy with request validation and filtering capabilities
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules for socket.io-parser version. If version is < 4.2.3, the system is vulnerable.Check Version:
npm list socket.io-parser or check package.json for socket.io-parser versionVerify Fix Applied:
Verify socket.io-parser version is 4.2.3 or higher in package.json and after npm install/yarn install.📡 Detection & Monitoring
Log Indicators:
- Node.js process crashes with uncaught exceptions
- Socket.IO server restart logs
- Application crash logs mentioning socket.io-parser
Network Indicators:
- Unusual Socket.IO packet patterns
- Multiple connection attempts followed by service disruption
SIEM Query:
source="application.logs" AND ("uncaught exception" OR "process.exit" OR "socket.io") AND ("crash" OR "terminated")🔗 References
- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3
- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3
- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3
- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3
- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9
