CVE-2023-32695 Overview
CVE-2023-32695 is a Denial of Service vulnerability affecting the socket.io-parser package, a Socket.IO encoder and decoder written in JavaScript that complies with version 5 of the socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, causing the Node.js process to crash and terminate unexpectedly.
This vulnerability represents a significant risk for applications relying on Socket.IO for real-time communication, as it allows unauthenticated remote attackers to disrupt service availability without requiring any user interaction.
Critical Impact
Remote attackers can crash Node.js servers running Socket.IO by sending maliciously crafted packets, leading to complete service disruption and potential cascading failures in dependent systems.
Affected Products
- socket.io-parser versions prior to 4.2.3 (Node.js)
- Applications using vulnerable socket.io-parser as a dependency
- Socket.IO servers processing untrusted client input
Discovery Timeline
- May 27, 2023 - CVE-2023-32695 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-32695
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) and improper check for exceptional conditions (CWE-754) in the socket.io-parser library. The parser fails to properly validate the format of event names within incoming Socket.IO packets before processing them. When a malformed packet with an invalid payload structure is received, the parser throws an uncaught exception rather than gracefully handling the error condition.
The vulnerability is particularly dangerous because Socket.IO servers typically handle numerous concurrent connections. A single malicious packet can terminate the entire Node.js process, affecting all connected clients simultaneously. Since no authentication or special privileges are required, any network client capable of sending WebSocket messages can exploit this flaw.
Root Cause
The root cause lies in the isPayloadValid function within the socket.io-parser library. Prior to the patch, the validation logic did not properly check the format of the event name within event packets. Specifically, the parser would accept arrays as valid payloads for EVENT and BINARY_EVENT packet types without verifying that the first element (the event name) was actually a string or number. This allowed attackers to craft payloads that would pass initial validation but cause exceptions during subsequent processing.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker establishes a WebSocket connection to a vulnerable Socket.IO server and sends a specially crafted packet with a malformed payload. The malicious packet bypasses initial validation checks but triggers an uncaught exception during parsing, causing the Node.js process to crash.
The attack can be executed with minimal effort using any WebSocket client, making it highly accessible to attackers. The vulnerability can be repeatedly exploited to cause persistent denial of service, preventing legitimate users from accessing the application.
// Patch from lib/index.ts - Adding proper event name format validation
// Source: https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3
return typeof payload === "string" || typeof payload === "object";
case PacketType.EVENT:
case PacketType.BINARY_EVENT:
- return Array.isArray(payload) && payload.length > 0;
+ return (
+ Array.isArray(payload) &&
+ (typeof payload[0] === "string" || typeof payload[0] === "number")
+ );
case PacketType.ACK:
case PacketType.BINARY_ACK:
return Array.isArray(payload);
// Patch from index.js - Improved error handling for invalid payloads
// Source: https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced
// look up json data
if (str.charAt(++i)) {
var payload = tryParse(str.substr(i));
- var isPayloadValid = payload !== false && (p.type === exports.ERROR || isArray(payload));
- if (isPayloadValid) {
+ if (isPayloadValid(p.type, payload)) {
p.data = payload;
} else {
- return error('invalid payload');
+ throw new Error("invalid payload");
}
}
Detection Methods for CVE-2023-32695
Indicators of Compromise
- Unexpected Node.js process crashes or restarts on servers running Socket.IO
- Presence of uncaught exception errors in server logs mentioning "invalid payload" or socket.io-parser
- Spike in WebSocket connection attempts followed by immediate disconnections
- Process monitoring alerts indicating abnormal termination of Node.js services
Detection Strategies
- Monitor application logs for uncaught exceptions originating from the socket.io-parser module
- Implement process supervision tools (PM2, systemd, Docker health checks) to detect and alert on unexpected restarts
- Deploy network intrusion detection rules to identify anomalous WebSocket traffic patterns
- Use application performance monitoring (APM) to track Node.js process stability metrics
Monitoring Recommendations
- Configure centralized logging to capture and alert on Node.js crash events across all Socket.IO servers
- Set up real-time monitoring for Socket.IO connection metrics including connection failures and error rates
- Implement automated dependency scanning in CI/CD pipelines to detect vulnerable socket.io-parser versions
- Enable WebSocket traffic analysis to identify malformed packet patterns indicative of exploitation attempts
How to Mitigate CVE-2023-32695
Immediate Actions Required
- Upgrade socket.io-parser to version 4.2.3 or later immediately across all affected environments
- Review all applications using Socket.IO and identify instances with vulnerable parser versions
- Implement process managers with automatic restart capabilities to minimize downtime during attacks
- Consider deploying rate limiting on WebSocket connections to reduce exploitation impact
Patch Information
The Socket.IO maintainers have released version 4.2.3 of socket.io-parser which addresses this vulnerability. The patch introduces proper validation of the event name format within incoming packets, ensuring that EVENT and BINARY_EVENT packet types contain valid string or numeric event names.
For more details, refer to:
Workarounds
- If immediate patching is not possible, implement a reverse proxy or WAF to filter potentially malicious WebSocket traffic
- Deploy global exception handlers in your Node.js application to prevent complete process termination
- Use process clustering with multiple worker processes to maintain partial availability during attacks
- Isolate Socket.IO services in containers with automatic restart policies
# Update socket.io-parser to patched version
npm update socket.io-parser@4.2.3
# Or update to the latest version
npm install socket.io-parser@latest
# Verify installed version
npm list socket.io-parser
# For yarn users
yarn upgrade socket.io-parser@4.2.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
