Security Vulnerabilities in Frontail

Hi all,

in the course of adding observability to openhab, I also stumbled across a few security vulnerabilites in frontail, I wanted to point out for whom it may concern.

Third-party DoS vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io-parser is a socket.io protocol parser

Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation when decoding a packet. An attacker can send an event with a name like '2[{"toString":"foo"}]' to trigger an uncaught exception and a crash, like the below.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

For more information visit SNYK

CVE​: CVE-2023-32695
OWASP​: 2021:A6
CWE​: CWE-400

Affected processes
bin/frontail (frontail)

Fix recommendation
Upgrade socket.io-parser to version 3.4.3, 4.2.3 or higher.

Third-party Uncaught Exception vulnerability (SNYK-JS-SOCKETIOPARSER-5596892):
socket.io is a node.js realtime framework server.

Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process.

For more information visit SNYK

CVE​: CVE-2024-38355
OWASP​: 2021:A6
CWE​: CWE-248

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade socket.io to version 2.5.1, 4.6.2 or higher.

Third-party DoS vulnerability (SNYK-JS-ENGINEIO-3136336)
engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process.

For more information visit SNYK

CVE​: CVE-2022-41940
OWASP​: 2021:A6
CWE​: CWE-400

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade engine.io to version 3.6.1, 6.2.1 or higher.

Third-party DoS vulnerability (SNYK-JS-WS-7266574)
ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.

For more information visit SNYK

Node.js

CVE​: CVE-2024-37890
OWASP​: 2021:A6
CWE​: CWE-400

Affected processes:
bin/frontail (frontail)

Fix recommendation
Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.

Reporting it here is important to warn OH users, particularly openHABian users. But we don’t own nore maintain Frontail here. Has this been reported upstream to Frontail?

Good point and no, not yet. Also, there hasn’t been a release since 2021.

it might be abandoned. If someone knows if a replacement it might be worth an issue and pr to openHABian. There’s also been some work to implement log streaming native to OH but I’m not sure where that sits. There will need to be changes on both core and the UI to make it work.