GHSA-cqmj-92xf-r6r9
HIGHInsufficient validation when decoding a Socket.IO packet
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
socket.io-parsernpmDescription
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
Patches
A fix has been released today (2023/05/22):
- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in
[email protected] - https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in
[email protected]
Another fix has been released for the 3.3.x branch:
- https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `[email protected]
socket.io version | socket.io-parser version | Needs minor update? |
|---|---|---|
4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient |
4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to [email protected] |
3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to [email protected] |
3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to [email protected] |
2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open a discussion here
Thanks to @rafax00 for the responsible disclosure.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | socket.io-parser | ≥ 4.0.4&&< 4.2.3 | 4.2.3 |
| 📦npm | socket.io-parser | ≥ 3.4.0&&< 3.4.3 | 3.4.3 |
| 📦npm | socket.io-parser | all versions | 3.3.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for socket.io-parser. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update socket.io-parser to 4.2.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-cqmj-92xf-r6r9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-cqmj-92xf-r6r9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-cqmj-92xf-r6r9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-cqmj-92xf-r6r9 in your dependencies?
O3 detects GHSA-cqmj-92xf-r6r9 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.