Vulnerability write-up - “Dangerous assumptions”

2023-02-24

hack web CVE-2022-29822 CVE-2022-2422 CVE-2023-22580 CVE-2023-22579 CVE-2023-22578 CVE-2022-2421

Last year, during a tangent for a project, Kevin and I found a series of vulnerabilities in (combinations of) several Node.js packages that led to critical issues for our client, and most likely other users as well.

It was a lot of fun learning about all the ways that logic in Javascript code like this can break, mostly by abusing its dynamic typing and oddities like __proto__. All in all, this resulted in 6 CVEs in three different packages (Feathers.js, Sequelize and Socket.IO).

You can read the full write-up here.

CVE-2022-29822 - Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
CVE-2022-2422 - Feathers - SQL injection via attribute aliases
CVE-2023-22580 - Sequelize - Bad query filtering leading to SQL errors
CVE-2023-22579 - Sequelize - Unsafe fall-through in getWhereConditions
CVE-2023-22578 - Sequelize - Default support for “raw attributes” when using parentheses
CVE-2022-2421 - Socket.IO - Improper type validation in attachment parsing