CVE-2023-31125: 
JavaScript vulnerability analysis and mitigation

Engine.IO, the transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO, was found to contain an uncaught exception vulnerability (CVE-2023-31125). The vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. The vulnerability was discovered in May 2023 and affects all users of the engine.io package, including those who use depending packages like socket.io. A fix was released in version 6.4.2 of Engine.IO (GitHub Advisory).

The vulnerability allows a specially crafted HTTP request to trigger an uncaught exception on the Engine.IO server, resulting in a TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') at Server.onWebSocket. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability leads to the killing of the Node.js process, effectively causing a Denial of Service (DoS) condition. This impacts all users of the engine.io package and its dependent packages like socket.io (GitHub Advisory).

There is no known workaround except upgrading to the patched version 6.4.2 of Engine.IO. For socket.io users, different upgrade paths are recommended based on their current version. Users of socket.io@4.6.x can use npm audit fix, while users of older versions should upgrade to socket.io@4.6.x (GitHub Advisory).