Description
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Remediation
References
https://csirt.divd.nl/CVE-2022-2421
https://csirt.divd.nl/DIVD-2022-00045
Related Vulnerabilities
CVE-2022-35915 Vulnerability in npm package @openzeppelin/contracts
CVE-2021-39227 Vulnerability in npm package zrender
CVE-2018-9206 Vulnerability in npm package blueimp-file-upload
CVE-2020-13128 Vulnerability in maven package com.googlecode.gwtupload:gwtupload-project
CVE-2021-21409 Vulnerability in maven package io.netty:netty-codec-http2