// For flags

CVE-2022-39386

fastify-websocket vulnerable to uncaught exception via crash on malformed packet

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). There are currently no known workarounds. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

@fastify/websocket proporciona soporte WebSocket para Fastify. Cualquier aplicación que utilice @fastify/websocket podría fallar si se envía un paquete específico con formato incorrecto. Todas las versiones de fastify-websocket también se ven afectadas. Ese módulo está en desuso, por lo que no será parcheado. Esto se ha parcheado en la versión 7.1.1 (fastify v4) y la versión 5.0.1 (fastify v3). Actualmente no se conocen workarounds. Sin embargo, debería ser posible adjuntar el controlador de errores manualmente. La ruta recomendada es actualizar a las versiones parcheadas.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-02 CVE Reserved
  • 2022-11-08 CVE Published
  • 2024-05-31 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-248: Uncaught Exception
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fastify
Search vendor "Fastify"
Websocket
Search vendor "Fastify" for product "Websocket"
>= 6.0.0 < 7.1.1
Search vendor "Fastify" for product "Websocket" and version " >= 6.0.0 < 7.1.1"
node.js
Affected
Fastify
Search vendor "Fastify"
Websocket
Search vendor "Fastify" for product "Websocket"
5.0.0
Search vendor "Fastify" for product "Websocket" and version "5.0.0"
node.js
Affected