SocketIO - debug version 4.0.0 to 4.3.0 - CVE-2017-16137

[pabloherre]

Regular Expression Denial of Service vulnerability using @feathersjs/socketio version 4.5.XX

@feathersjs/socketio v4 relies in engine.io 3.4.0 which uses debug 4.0.0, npm audit is stating a vulnerability check on this versions (Regular Expression Denial of Service in debug).

Expected behavior

No vulnerabilities.

Steps to reproduce

Install the following package.json:

{
    "name": "test",
    "version": "1.0.0",
    "main": "index.js",
    "scripts": {
        "test": "echo \"Error: no test specified\" && exit 1"
    },
    "author": "",
    "license": "ISC",
    "description": "",
    "dependencies": {
        "@feathersjs/adapter-commons": "^4.5.17",
        "@feathersjs/authentication": "^4.5.18",
        "@feathersjs/authentication-local": "^4.5.18",
        "@feathersjs/authentication-oauth": "^4.5.18",
        "@feathersjs/configuration": "^4.5.17",
        "@feathersjs/errors": "^4.5.17",
        "@feathersjs/express": "^4.5.18",
        "@feathersjs/feathers": "^4.5.17",
        "@feathersjs/socketio": "^4.5.18",
        "@feathersjs/transport-commons": "^4.5.18"
    }
}

npm install

Output

System configuration

Module versions:

• "@feathersjs/adapter-commons": "^4.5.17",
• "@feathersjs/authentication": "^4.5.18",
• "@feathersjs/authentication-local": "^4.5.18",
• "@feathersjs/authentication-oauth": "^4.5.18",
• "@feathersjs/configuration": "^4.5.17",
• "@feathersjs/errors": "^4.5.17",
• "@feathersjs/express": "^4.5.18",
• "@feathersjs/feathers": "^4.5.17",
• "@feathersjs/socketio": "^4.5.18",
• "@feathersjs/transport-commons": "^4.5.18",

NodeJS version: 22.2.0
NPM vesion: 10.7.0
Operating System: Windows 11 home 23H2
Module Loader: commonjs