Skip to content

Security Vulnerabilities in Frontail #261

New issue
New issue
Open
Open
Security Vulnerabilities in Frontail#261
@Ltty

Description

@Ltty
Ltty
opened on Oct 8, 2024

Hi all,

in the course of adding observability to openhab, I also stumbled across a few security vulnerabilites in frontail, I wanted to point out for whom it may concern.

Third-party DoS vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io-parser is a socket.io protocol parser

Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation when decoding a packet. An attacker can send an event with a name like '2[{"toString":"foo"}]' to trigger an uncaught exception and a crash, like the below.

TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
For more information visit SNYK

CVE​: CVE-2023-32695
OWASP​: 2021:A6
CWE​: CWE-400

Affected processes
bin/frontail (frontail)

Fix recommendation
Upgrade socket.io-parser to version 3.4.3, 4.2.3 or higher.

Third-party Uncaught Exception vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io is a node.js realtime framework server.

Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process.

For more information visit SNYK

CVE​: CVE-2024-38355
OWASP​: 2021:A6
CWE​: CWE-248

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade socket.io to version 2.5.1, 4.6.2 or higher.

Third-party DoS vulnerability (SNYK-JS-ENGINEIO-3136336)
engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process.

For more information visit SNYK

CVE​: CVE-2022-41940
OWASP​: 2021:A6
CWE​: CWE-400

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade engine.io to version 3.6.1, 6.2.1 or higher.

Third-party DoS vulnerability (SNYK-JS-WS-7266574)
ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.

For more information visit SNYK

Node.js

CVE​: CVE-2024-37890
OWASP​: 2021:A6
CWE​: CWE-400

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions