CVE-2023-32695: 
JavaScript vulnerability analysis and mitigation

CVE-2023-32695 is a vulnerability in socket.io-parser, a socket.io encoder and decoder written in JavaScript that complies with version 5 of socket.io-protocol. The vulnerability was discovered and disclosed on May 27, 2023, affecting versions >= 4.0.4, < 4.2.3 and >= 3.4.0, < 3.4.3 of the socket.io-parser package (GitHub Advisory).

The vulnerability stems from insufficient validation when decoding a Socket.IO packet. The issue has a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is associated with CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CWE-20 (Improper Input Validation) (NVD).

When exploited, a specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, resulting in the termination of the Node.js process. This leads to a TypeError with the message 'Cannot convert object to primitive value' at Socket.emit, effectively causing a denial of service (GitHub Advisory).

The vulnerability has been patched in socket.io-parser versions 4.2.3 and 3.4.3. Users are strongly advised to upgrade to these patched versions. For socket.io users, the upgrade path depends on their current version: those using socket.io 4.5.2 or later can use npm audit fix, while users of versions 4.1.3 to 4.5.1 should upgrade to socket.io@4.6.x. There are no known workarounds except upgrading to a safe version (GitHub Advisory).