CVE-2023-37899 – Feathers.js Socket.io handler contains an uncau... (How to Fix)

Q: What is the severity of CVE-2023-37899?

CVE-2023-37899 has a CVSS score of 7.5 (HIGH). Feathers.js Socket.io handler contains an uncaught exception vulnerability where specially crafted messages with invalid toString methods can crash the Node.js process. This affects all Feathers.js applications using Socket.io for real-time communication. The vulnerability allows denial of service attacks against affected applications.

📋 TL;DR

Feathers.js Socket.io handler contains an uncaught exception vulnerability where specially crafted messages with invalid toString methods can crash the Node.js process. This affects all Feathers.js applications using Socket.io for real-time communication. The vulnerability allows denial of service attacks against affected applications.

💻 Affected Systems

Products:

Feathers.js

Versions: All versions before 4.5.18 and 5.0.8

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Feathers.js with Socket.io transport. Applications using only REST are not affected.

📦 What is this software?

Feathers by Feathersjs

View all CVEs affecting Feathers →

Feathers by Feathersjs

View all CVEs affecting Feathers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through repeated process crashes, potentially leading to extended downtime and service unavailability.

🟠

Likely Case

Intermittent service disruptions and degraded performance as Node.js processes restart after crashes.

🟢

If Mitigated

Minimal impact with proper monitoring and auto-restart mechanisms in place, though service interruptions may still occur.

🌐 Internet-Facing: HIGH - Socket.io endpoints are typically exposed to clients, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal clients could still exploit this, but attack surface is more limited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending specially crafted Socket.io messages. The advisory includes example payloads that demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.18 or 5.0.8

Vendor Advisory: https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9

Restart Required: Yes

Instructions:

1. Update package.json to specify Feathers.js version 4.5.18+ (for v4) or 5.0.8+ (for v5). 2. Run 'npm update @feathersjs/feathers' or 'yarn upgrade @feathersjs/feathers'. 3. Restart all Node.js processes running the application.

🔧 Temporary Workarounds

No official workaround

all

The advisory states there is no known workaround for this vulnerability.

🧯 If You Can't Patch

Implement rate limiting on Socket.io endpoints to reduce impact of repeated attacks
Deploy application behind a WAF with DoS protection capabilities

🔍 How to Verify

Check if Vulnerable:

Check package.json for @feathersjs/feathers version. If version is below 4.5.18 (for v4) or below 5.0.8 (for v5), the system is vulnerable.

Check Version:

npm list @feathersjs/feathers | grep @feathersjs/feathers

Verify Fix Applied:

After updating, verify the version is 4.5.18+ or 5.0.8+ and test Socket.io message handling with various payloads.

📡 Detection & Monitoring

Log Indicators:

Node.js process crashes
Uncaught exceptions in application logs
Socket.io connection errors
Process restart events

Network Indicators:

Unusual Socket.io message patterns
High volume of Socket.io messages from single sources

SIEM Query:

source="application.logs" AND ("uncaught exception" OR "process.exit" OR "socket.emit") AND ("toString" OR "Feathers" OR "Socket.io")

📊 Metadata

CVE ID: CVE-2023-37899

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-754

Published: July 19, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19 Release Notes
https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19 Release Notes
https://github.com/feathersjs/feathers/pull/3241 Patch
https://github.com/feathersjs/feathers/pull/3242 Patch
https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9 Exploit,Vendor Advisory
https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19 Release Notes
https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19 Release Notes
https://github.com/feathersjs/feathers/pull/3241 Patch
https://github.com/feathersjs/feathers/pull/3242 Patch
https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37899, you might also want to check these: