VulnerableCode Package Details - pkg:npm/engine.io@5.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-jz1p-pxvn-uqdv Aliases: CVE-2022-41940 GHSA-r7qp-cfhv-p84w	Uncaught exception in engine.io	6.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ph49-7rv6-f7fr Aliases: CVE-2022-21676 GHSA-273r-mgr4-v34f	Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.	5.2.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.1.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qutm-ax5s-jfeh Aliases: CVE-2023-31125 GHSA-q9mw-68c2-j6m5	Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.	6.4.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jz1p-pxvn-uqdv
Aliases:
CVE-2022-41940
GHSA-r7qp-cfhv-p84w

Uncaught exception in engine.io

6.2.1
Affected by 1 other vulnerability.

VCID-ph49-7rv6-f7fr
Aliases:
CVE-2022-21676
GHSA-273r-mgr4-v34f

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.

5.2.1
Affected by 2 other vulnerabilities.

6.1.1
Affected by 2 other vulnerabilities.

VCID-qutm-ax5s-jfeh
Aliases:
CVE-2023-31125
GHSA-q9mw-68c2-j6m5

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

6.4.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T18:54:21.781186+00:00	GitLab Importer	Affected by	VCID-qutm-ax5s-jfeh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/engine.io/CVE-2023-31125.yml	38.6.0
2026-06-12T18:40:23.687219+00:00	GitLab Importer	Affected by	VCID-jz1p-pxvn-uqdv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/engine.io/CVE-2022-41940.yml	38.6.0
2026-06-12T17:55:39.330489+00:00	GitLab Importer	Affected by	VCID-ph49-7rv6-f7fr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/engine.io/CVE-2022-21676.yml	38.6.0