SocketIO - debug version 4.0.0 to 4.3.0 - CVE-2017-16137 #3523
Description
Regular Expression Denial of Service vulnerability using @feathersjs/socketio version 4.5.XX
@feathersjs/socketio v4 relies in engine.io 3.4.0 which uses debug 4.0.0, npm audit is stating a vulnerability check on this versions (Regular Expression Denial of Service in debug).
Expected behavior
No vulnerabilities.
Steps to reproduce
Install the following package.json:
{
"name": "test",
"version": "1.0.0",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"description": "",
"dependencies": {
"@feathersjs/adapter-commons": "^4.5.17",
"@feathersjs/authentication": "^4.5.18",
"@feathersjs/authentication-local": "^4.5.18",
"@feathersjs/authentication-oauth": "^4.5.18",
"@feathersjs/configuration": "^4.5.17",
"@feathersjs/errors": "^4.5.17",
"@feathersjs/express": "^4.5.18",
"@feathersjs/feathers": "^4.5.17",
"@feathersjs/socketio": "^4.5.18",
"@feathersjs/transport-commons": "^4.5.18"
}
}
npm install
Output
System configuration
Module versions:
- "@feathersjs/adapter-commons": "^4.5.17",
- "@feathersjs/authentication": "^4.5.18",
- "@feathersjs/authentication-local": "^4.5.18",
- "@feathersjs/authentication-oauth": "^4.5.18",
- "@feathersjs/configuration": "^4.5.17",
- "@feathersjs/errors": "^4.5.17",
- "@feathersjs/express": "^4.5.18",
- "@feathersjs/feathers": "^4.5.17",
- "@feathersjs/socketio": "^4.5.18",
- "@feathersjs/transport-commons": "^4.5.18",
NodeJS version: 22.2.0
NPM vesion: 10.7.0
Operating System: Windows 11 home 23H2
Module Loader: commonjs