SockJS 0.3.19 affected by CVE-2020-7693

sussition · February 22, 2024, 6:56am

Hi all,

I’m sharing some old security research in this new forum category that may affect anyone still using an outdated version of Meteor <1.10.2 SockJS 0.3.19. Any apps using these affected versions may be vulnerable to denial-of-service attacks (CVE-2020-7693). An unauthenticated attacker can crash containers.

To fix, upgrade to newer versions of SockJS.

For more info, see:

Exploit PoC: GitHub - sussition/sockjs-dos-py: CVE-2020-7693: SockJS 0.3.19 Denial of Service POC
NVD release: NVD - CVE-2020-7693

Cheers!

harry97 · February 22, 2024, 9:30am

Interesting, thanks for sharing

storyteller · February 22, 2024, 9:31am

Looking at the Meteor changelog @harry97 did an update in Meteor v2.12.0 to sockjs v0.3.24 and v1.6.1 on client (these are the latest versions to this date). Before that it is a bit hard to track from changelog alone.