[engine.io] Uncaught exception in engine.io

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

Version range	Fixed version
`engine.io@3.x.y`	`3.6.1`
`engine.io@6.x.y`	`6.2.1`

For socket.io users:

Version range	`engine.io` version	Needs minor update?
`socket.io@4.5.x`	`~6.2.0`	`npm audit fix` should be sufficient
`socket.io@4.4.x`	`~6.1.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.3.x`	`~6.0.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.2.x`	`~5.2.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.1.x`	`~5.1.1`	Please upgrade to `socket.io@4.5.x`
`socket.io@4.0.x`	`~5.0.0`	Please upgrade to `socket.io@4.5.x`
`socket.io@3.1.x`	`~4.1.0`	Please upgrade to `socket.io@4.5.x` (see here)
`socket.io@3.0.x`	`~4.0.0`	Please upgrade to `socket.io@4.5.x` (see here)
`socket.io@2.5.0`	`~3.6.0`	`npm audit fix` should be sufficient
`socket.io@2.4.x` and below	`~3.5.0`	Please upgrade to `socket.io@2.5.0`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

トピトピニュース

[engine.io] Uncaught exception in engine.io

Impact

Patches

Workarounds

For more information

References

Archives