FeathersJS is a well-known web development framework, widely used to create web APIs and real-time applications using TypeScript or JavaScript. Recently, a critical vulnerability (CVE-2023-37899) was discovered in the Feathers socket handler, which could potentially crash a NodeJS process when it encounters a specific scenario.

In this post, I will be discussing the vulnerability in detail, as well as the steps required to mitigate it. To better explain the problem, let's take a look at the code snippet and associated error that triggered this vulnerability.

Code Snippet

const message = ${{ toString: '' }}

socket.emit('find', { toString: '' })

Error Description

An issue with FeathersJS's socket handler occurs when it fails to catch invalid string conversion errors - such as, when the socket handler tries to convert the provided object value using the toString() function; this results in a crash of the underlying NodeJS process. As a consequence, an attacker could potentially leverage this vulnerability to cause a denial of service (DoS) by sending an unexpected Socket.io message, as shown in the code snippet above.

I encourage you to take a look at the original references for this vulnerability

1. FeathersJS Official Blog
2. GitHub Repository
3. CVE Details

Exploit Details

In order to exploit this vulnerability, an attacker could try to craft and send a malicious message through the Socket.io connection to the vulnerable FeathersJS application. By doing so, the attacker could potentially crash the NodeJS process, causing a denial of service for the application and its users.

To demonstrate this, one could use the following code snippet as a template

const io = require('socket.io-client');

const socket = io.connect('http://[target_url]:[target_port]';);

socket.emit('find', { toString: '' });

(Note: Replace [target_url] and [target_port] with the appropriate values for the targeted FeathersJS application)

Mitigation

Thankfully, the FeathersJS team has already addressed this vulnerability in the following versions: 5..8 and 4.5.18. Users are strongly advised to upgrade their FeathersJS installations to these versions or later in order to protect against this vulnerability. No known workaround exists for this issue.

Conclusion

In conclusion, the CVE-2023-37899 vulnerability highlights the importance of careful error handling and thorough testing procedures during software development. It is essential that developers and users alike stay informed about potential security vulnerabilities in the tools and frameworks they use so that they can quickly address any risks and ensure the safety and stability of their applications.

Timeline

Published on: 07/19/2023 20:15:00 UTC
Last modified on: 07/28/2023 15:55:00 UTC