fastify-websocket vulnerable to uncaught exception via crash on malformed packet
CVE-2022-39386

7.5HIGH

Key Information:

Vendor: Fastify
Status: Fastify-websocket
Vendor: CVE Published:; 8 November 2022

What is CVE-2022-39386?

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). There are currently no known workarounds. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

Affected Version(s)

fastify-websocket >= 5.0.0, < 5.0.1 < 5.0.0, 5.0.1

fastify-websocket >= 6.0.0, < 7.1.1 < 6.0.0, 7.1.1

fastify-websocket <= 4.3.0 <= 4.3.0

References

https://github.com/fastify/fastify-websocket/security/adv...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
Sep 2, 2022

CVE-2022-39386 Data

JSON