Vulnerability

CVE-2022-2421

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89

References

https://github.com/advisories/GHSA-qm95-pgcg-qqfq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2421

[CVE-2022-2421] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

See socket.io package information