CVE Vulnerability

CVE-2022-39386

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). There are currently no known workarounds. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cq Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:fastify:websocket:*:*:*:*:*:node.js:*:*
cpe:2.3:a:fastify:websocket:5.0.0:*:*:*:*:node.js:*:*
Information

Published : 2022-11-08 10:15

Updated : 2022-11-09 04:14

NVD link : CVE-2022-39386

Mitre link : CVE-2022-39386

Products Affected
No products.
CWE
NVD-CWE-noinfo