CVE-2022-2421

CRITICAL

socket.io-parser < 3.3.3 and 4.0.0-4.0.5 - SQL Injection via Attachment Parsing

Title source: llm
STIX 2.1

Description

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

References (2)

Core 2
Core References
Third Party Advisory third-party-advisory
https://csirt.divd.nl/CVE-2022-2421
Third Party Advisory third-party-advisory
https://csirt.divd.nl/DIVD-2022-00045

Scores

CVSS v3 10.0
EPSS 0.0084
EPSS Percentile 74.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
npm/socket.io-parser 4.0.0 - 4.0.5npm
socket/socket.io-parser < 3.3.3
Published Oct 26, 2022
Tracked Since Feb 18, 2026