CVE CyberSecurity Database News

CVE-2023-37899 - How a Malicious Socket.io Message Could Crash Your FeathersJS App

Poster -

FeathersJS is a popular framework that helps developers quickly build web APIs and real-time applications using TypeScript or JavaScript. It leverages robust libraries like Socket.io for handling real-time events over WebSockets, making it a favorite for building modern, reactive applications.

But in 2023, a subtle vulnerability was discovered that could let an attacker bring your FeathersJS server down with a single, specially-crafted message. That vulnerability was logged as CVE-2023-37899.

If you use FeathersJS (especially as a backend for chat, data streaming, or collaborative apps), you need to know about this issue, how it works, and how to fix it!

What Exactly Is CVE-2023-37899?

CVE-2023-37899 is a denial-of-service (DoS) vulnerability in FeathersJS—specifically, in the part of the code that handles incoming messages over Socket.io.

The Root Problem

When FeathersJS receives a message (such as a .find request) from a client over Socket.io, it tries to convert message parameters to strings. It expects well-formed input, but *did not handle the case where the input object had a toString method that was not callable as a function*. If the server tried to coerce such an object to a string, Node.js would throw an unhandled error, causing the process to crash.

A malicious user could send a message like

socket.emit('find', { toString: '' });

Here, { toString: '' } defines a property toString that is a string (not a function), which is odd but legal in JavaScript. When Feathers attempts to convert this entire message to a string (using something like String(obj) or similar), Node.js tries to call obj.toString(). But if toString is not a function, Node throws:
TypeError: toString is not a function

Since FeathersJS did not catch this error, the Node.js process would crash, taking your entire API or real-time server offline.

The vulnerable code (in pseudo/typical fashion) might look like

// Somewhere in the Feathers socket handler
function handleMessage(message) {
  // This might try to log or parse the message
  const msgString = message.toString(); // Danger: toString might not be a function!
  // ...rest of handler logic...
}

If message is { toString: '' }, the line above will crash.

Proof of Exploit

You can exploit this vulnerability in *any* FeathersJS app exposing Socket.io to the web. Here’s how it looks using the browser console or a simple client script:

// Connect to a vulnerable FeathersJS server
const socket = io('http://localhost:303';); // Adjust URL as needed

// Send a malicious message
socket.emit('find', { toString: '' });

Immediately after receiving this malformed message, the FeathersJS server will encounter a fatal, unhandled error and shut down.

Feathers v4 users: Upgrade to 4.5.18 or later

There is no workaround for this vulnerability. Catching conversion errors in middleware might not be enough and could interfere with app logic. Upgrading FeathersJS is the only safe solution.

Using npm, in your project directory

npm install @feathersjs/feathers@latest
npm install @feathersjs/socketio@latest

Or if you’re using v4

npm install @feathersjs/feathers@^4.5.18
npm install @feathersjs/socketio@^4.5.18

Original References

- CVE Record on NVD
- FeathersJS Security Advisory on GitHub
- FeathersJS Changelog

Details About the Patch

With the patch, FeathersJS now safely checks if the toString property is a function before calling it, or uses a safer string conversion process that never throws:

function safeToString(obj) {
  if (typeof obj.toString === 'function') {
    return obj.toString();
  }
  return Object.prototype.toString.call(obj);
}

This prevents attacker-supplied objects with broken toString properties from ever crashing your backend.

Conclusion

CVE-2023-37899 is a great example of how even small assumptions (like an object property always being a function) can become a security risk. If you’re running FeathersJS and allow public access to your Socket.io APIs, upgrade immediately.

Stay safe: Don’t let a single bad message take down your real-time app!

> Have you been hit by a mysterious Node.js crash? Upgrade to the latest FeathersJS and kick this bug for good.


Further reading:
- FeathersJS Quick Start
- FeathersJS Socket.io Transport


*This article is exclusive content summarizing public advisories and the author’s own code review. Please link to original sources for more details.*

Timeline

Published on: 07/19/2023 20:15:00 UTC
Last modified on: 07/28/2023 15:55:00 UTC