Description
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Remediation
References
https://csirt.divd.nl/CVE-2022-2421
https://csirt.divd.nl/DIVD-2022-00045
Related Vulnerabilities
CVE-2022-35916 Vulnerability in npm package @openzeppelin/contracts
CVE-2023-47321 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web
CVE-2017-3151 Vulnerability in maven package org.apache.atlas:apache-atlas
CVE-2019-1003070 Vulnerability in maven package org.jenkins-ci.plugins:veracode-scanner
CVE-2021-21193 Vulnerability in maven package org.webjars.npm:electron