Site icon API Security Blog

Uncaught Exception in engine.io

### Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
> at Receiver.getInfo (/…/node_modules/ws/lib/receiver.js:176:14)
> at Receiver.startLoop (/…/node_modules/ws/lib/receiver.js:136:22)
> at Receiver._write (/…/node_modules/ws/lib/receiver.js:83:10)
> at writeOrBuffer (internal/streams/writable.js:358:12)

This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package starting from version `4.0.0`, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io).

### Patches

A fix has been released for each major branch:

| Version range | Fixed version |
| — | — |
| `engine.io@4.x.x` | `4.1.2` |
| `engine.io@5.x.x` | `5.2.1` |
| `engine.io@6.x.x` | `6.1.1` |

Previous versions (`Read More

Exit mobile version