CVE-2022-21676: 
JavaScript vulnerability analysis and mitigation

Engine.IO, the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO, was found to contain a vulnerability that affects versions 4.0.0 and above. The vulnerability was discovered by Marcus Wejderot from Mevisio and was assigned CVE-2022-21676. The issue was publicly disclosed on January 12, 2022, affecting multiple versions including 4.0.0-4.1.1, 5.0.0-5.2.0, and 6.0.0-6.1.0 (GitHub Advisory).

The vulnerability is characterized by an uncaught exception that occurs when processing specially crafted HTTP requests. When exploited, it triggers a RangeError with the message 'Invalid WebSocket frame: RSV2 and RSV3 must be clear' in the WebSocket receiver component. The error occurs specifically in the ws library's receiver.js file, during the frame information processing (GitHub Release).

When successfully exploited, this vulnerability results in the termination of the Node.js process hosting the Engine.IO server. This can lead to a denial of service condition, affecting not only Engine.IO users but also applications using dependent packages like Socket.IO (GitHub Advisory).

The vulnerability has been patched in versions 4.1.2, 5.2.1, and 6.1.1. Users are strongly advised to upgrade to these patched versions. For Socket.IO users, specific version upgrades are recommended: Socket.IO 4.4.x users are safe with the current version, while users of versions 4.0.x-4.2.x should upgrade to 4.4.x. Socket.IO 3.0.x users should upgrade to either 3.1.x or 4.4.x. The fix can be applied using 'npm audit fix' or 'npm update engine.io --depth=9999' (GitHub Advisory).