{"id":"CVE-2022-2421","details":"Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.","aliases":["GHSA-qm95-pgcg-qqfq"],"modified":"2026-04-10T04:45:19.828561Z","published":"2022-10-26T10:15:16.780Z","references":[{"type":"ADVISORY","url":"https://csirt.divd.nl/CVE-2022-2421"},{"type":"ADVISORY","url":"https://csirt.divd.nl/DIVD-2022-00045"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/socketio/socket.io-parser","events":[{"introduced":"0"},{"fixed":"cd11e38e1a3e2146617bc586f86512605607b212"},{"introduced":"652402a8568c2138da3c27c96756b32efca6c4bf"},{"fixed":"4b3c191bc411578099c8dd35499d8c7a75860192"},{"introduced":"c04d7f5c47ed712eb0f56cfc1a859f1aaa828f1e"},{"fixed":"f3329eb5a46b215a3fdf91b6008c56cf177a4124"},{"introduced":"5ad3e5cc4b16326e3def2b834bd90c0424bfdd83"},{"fixed":"5a2ccff9d1d8fdbadd3faad9290a9e3b165cf9a2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.3"},{"introduced":"3.4.0"},{"fixed":"3.4.2"},{"introduced":"4.0.0"},{"fixed":"4.0.5"},{"introduced":"4.1.0"},{"fixed":"4.2.1"}]}}],"versions":["2.0.0","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.3.0","2.3.1","2.3.2","3.0.0","3.1.0","3.1.1","3.1.2","3.1.3","3.2.0","3.3.0","3.3.1","3.3.2","3.4.0","3.4.1","4.0.0","4.0.1","4.0.1-rc1","4.0.1-rc2","4.0.1-rc3","4.0.2","4.0.3","4.0.4","4.1.0","4.1.1","4.1.2","4.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2421.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}