CVE-2022-39386: Crash on malformed packet

November 8, 2022 (updated November 9, 2022)

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). There are currently no known workarounds. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

References

github.com/advisories/GHSA-4pcg-wr6c-h9cq
github.com/fastify/fastify-websocket/releases/tag/v5.0.1
github.com/fastify/fastify-websocket/releases/tag/v7.1.1
github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cq
nvd.nist.gov/vuln/detail/CVE-2022-39386

Code Behaviors & Features

Detect and mitigate CVE-2022-39386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →