[GH-ISSUE #261] Security Vulnerabilities in Frontail #168

New issue

Open

opened 2026-03-03 16:05:46 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 16:05:46 +03:00

Owner

Originally created by @Ltty on GitHub (Oct 8, 2024).
Original GitHub issue: https://github.com/mthenw/frontail/issues/261

Hi all,

in the course of adding observability to openhab, I also stumbled across a few security vulnerabilites in frontail, I wanted to point out for whom it may concern.

Third-party DoS vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io-parser is a socket.io protocol parser

Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation when decoding a packet. An attacker can send an event with a name like '2[{"toString":"foo"}]' to trigger an uncaught exception and a crash, like the below.

TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
For more information visit SNYK

CVE: CVE-2023-32695
OWASP: 2021:A6
CWE: CWE-400

Affected processes
bin/frontail (frontail)

Fix recommendation
Upgrade socket.io-parser to version 3.4.3, 4.2.3 or higher.

Third-party Uncaught Exception vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io is a node.js realtime framework server.

Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process.

For more information visit SNYK

CVE: CVE-2024-38355
OWASP: 2021:A6
CWE: CWE-248

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade socket.io to version 2.5.1, 4.6.2 or higher.

Third-party DoS vulnerability (SNYK-JS-ENGINEIO-3136336)
engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process.

For more information visit SNYK

CVE: CVE-2022-41940
OWASP: 2021:A6
CWE: CWE-400

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade engine.io to version 3.6.1, 6.2.1 or higher.

Third-party DoS vulnerability (SNYK-JS-WS-7266574)
ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.

For more information visit SNYK

Node.js

CVE: CVE-2024-37890
OWASP: 2021:A6
CWE: CWE-400

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.

Originally created by @Ltty on GitHub (Oct 8, 2024). Original GitHub issue: https://github.com/mthenw/frontail/issues/261 Hi all, in the course of adding observability to openhab, I also stumbled across a few security vulnerabilites in frontail, I wanted to point out for whom it may concern. Third-party DoS vulnerability (SNYK-JS-SOCKETIOPARSER-5596892): [socket.io-parser](https://www.npmjs.org/package/socket.io-parser) is a [socket.io](http://socket.io/) protocol parser Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation when decoding a packet. An attacker can send an event with a name like '2[{"toString":"foo"}]' to trigger an uncaught exception and a crash, like the below. TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at .../node_modules/socket.io/lib/socket.js:531:14 For more information visit [SNYK](https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892?utm_campaign=dynatrace-application-security&utm_medium=partner&utm_source=dynatrace) CVE: [CVE-2023-32695](https://nvd.nist.gov/vuln/detail/CVE-2023-32695) OWASP: [2021:A6](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) CWE: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Affected processes bin/frontail (frontail) Fix recommendation Upgrade socket.io-parser to version 3.4.3, 4.2.3 or higher. Third-party Uncaught Exception vulnerability (SNYK-JS-SOCKETIOPARSER-5596892): [socket.io](https://github.com/socketio/socket.io) is a node.js realtime framework server. Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process. For more information visit [SNYK](https://snyk.io/vuln/SNYK-JS-SOCKETIO-7278048?utm_campaign=dynatrace-application-security&utm_medium=partner&utm_source=dynatrace) CVE: [CVE-2024-38355](https://nvd.nist.gov/vuln/detail/CVE-2024-38355) OWASP: [2021:A6](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) CWE: [CWE-248](https://cwe.mitre.org/data/definitions/248.html) Affected processes: bin/frontail (frontail) Fix recommendation Upgrade socket.io to version 2.5.1, 4.6.2 or higher. Third-party DoS vulnerability (SNYK-JS-ENGINEIO-3136336) [engine.io](https://github.com/socketio/engine.io) is a realtime engine behind [Socket.IO](http://socket.io/). It provides the foundation of a bidirectional connection between client and server Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process. For more information visit [SNYK](https://snyk.io/vuln/SNYK-JS-ENGINEIO-3136336?utm_campaign=dynatrace-application-security&utm_medium=partner&utm_source=dynatrace) CVE: [CVE-2022-41940](https://nvd.nist.gov/vuln/detail/CVE-2022-41940) OWASP: [2021:A6](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) CWE: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Affected processes: bin/frontail (frontail) Fix recommendation Upgrade engine.io to version 3.6.1, 6.2.1 or higher. Third-party DoS vulnerability (SNYK-JS-WS-7266574) [ws](https://www.npmjs.com/package/ws) is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold. For more information visit [SNYK](https://snyk.io/vuln/SNYK-JS-WS-7266574?utm_campaign=dynatrace-application-security&utm_medium=partner&utm_source=dynatrace) Node.js CVE: [CVE-2024-37890](https://nvd.nist.gov/vuln/detail/CVE-2024-37890) OWASP: [2021:A6](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) CWE: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Affected processes: bin/frontail (frontail) Fix recommendation Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.