Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/%40soketi/soketi@0.19.1 |
|---|
| Type | npm |
|---|
| Namespace | @soketi |
|---|
| Name | soketi |
|---|
| Version | 0.19.1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.6.0 |
|---|
| Latest_non_vulnerable_version | 1.6.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-6h1v-7r16-t7c3 |
| vulnerability_id |
VCID-6h1v-7r16-t7c3 |
| summary |
Denial of Service in soketi
### Impact
_What kind of vulnerability is it? Who is impacted?_
There was a wrong behavior when reading POST requests, making the server crash if it couldn't read the body. In case a POST request was sent to any endpoint of the server with an empty body, **even unauthenticated with the Pusher Protocol**, it would simply just crash the server for trying to send a response after the request closed.
All users that run the server are affected by it and it's highly recommended to upgrade to the latest patch.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Updating to at least or the latest version.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
No. Upgrading is the only solution.
### References
_Are there any links users can visit to find out more?_
https://github.com/soketi/soketi/releases/tag/0.24.1
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the issues board](https://github.com/soketi/soketi/issues)
* Email us at [alex@renoki.org](mailto:alex@renoki.org) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-21667 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01227 |
| scoring_system |
epss |
| scoring_elements |
0.7949 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.01227 |
| scoring_system |
epss |
| scoring_elements |
0.79475 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.01227 |
| scoring_system |
epss |
| scoring_elements |
0.79502 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.01227 |
| scoring_system |
epss |
| scoring_elements |
0.79508 |
| published_at |
2026-06-09T12:55:00Z |
|
| 4 |
| value |
0.01227 |
| scoring_system |
epss |
| scoring_elements |
0.795 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-21667 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-21667, GHSA-86ch-6w7v-v6xf, GMS-2022-2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6h1v-7r16-t7c3 |
|
| 1 |
| url |
VCID-grwn-qms1-7fgq |
| vulnerability_id |
VCID-grwn-qms1-7fgq |
| summary |
Zalgo-like output that crashes the server
### Impact
_What kind of vulnerability is it? Who is impacted?_
[`colors`](https://npmjs.com/package/colors) package caused zalgo-like output (see https://github.com/soketi/soketi/issues/276, https://github.com/Marak/colors.js/issues/289), breaking the servers.
**Only NPM users that recently upgraded or installed the NPM package are affected.**
Docker users seem to not be affected as the dependencies were bundled at the time of the build, which were tested.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Latest patch. `0.26.1` to be exact at the time of writing.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
You cannot get around this as it's related to dependencies.
### References
_Are there any links users can visit to find out more?_
- https://github.com/Marak/colors.js/issues/289
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the issues board](https://github.com/soketi/soketi/issues)
* Email us at [alex@renoki.org](mailto:alex@renoki.org) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-2w8g-m5j8-7m87, GMS-2022-63
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-grwn-qms1-7fgq |
|
| 2 |
| url |
VCID-najf-jgbf-xker |
| vulnerability_id |
VCID-najf-jgbf-xker |
| summary |
Soketi was exposed to Sandbox Escape vulnerability via vm2
### Impact
_What kind of vulnerability is it? Who is impacted?_
Anyone who might have used Soketi with the `cluster` driver (or through PM2).
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Get the latest version of Soketi.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
None. It's advised to upgrade to the latest version.
### References
_Are there any links users can visit to find out more?_
- https://github.com/advisories/GHSA-cchq-frgv-rjh5
- https://github.com/patriksimek/vm2/issues/533
- https://github.com/Unitech/pm2/issues/5643 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-g6w6-h933-4rc5, GMS-2023-1877
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-najf-jgbf-xker |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 4.5 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/%2540soketi/soketi@0.19.1 |
|---|