CVE-2022-42975 in Phoenixinfo

Summary

by MITRE • 10/17/2022

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/10/2025

The vulnerability identified as CVE-2022-42975 affects the Phoenix web framework version 1.6.14 and earlier, specifically within the socket/transport.ex module responsible for handling WebSocket connections and origin validation. This flaw represents a critical security oversight in the framework's cross-origin resource sharing (CORS) implementation that could potentially allow unauthorized access to WebSocket endpoints. The issue stems from how the framework processes wildcard patterns in origin validation checks, creating a potential attack vector for malicious actors seeking to bypass security restrictions.

The technical flaw manifests in the improper handling of check_origin wildcarding mechanisms within Phoenix's WebSocket transport layer. When developers configure origin validation with wildcard patterns, the framework fails to properly sanitize or validate these patterns, potentially allowing attackers to craft malicious origin headers that match the wildcard criteria. This vulnerability falls under CWE-290 authentication bypass through wildcards, where the system's trust in wildcard patterns creates an avenue for unauthorized access. The flaw specifically affects the socket transport layer's ability to distinguish between legitimate and malicious origin requests, particularly when wildcard characters are used in origin validation rules.

The operational impact of this vulnerability extends beyond simple access control bypasses, as it could enable attackers to establish unauthorized WebSocket connections to applications running vulnerable versions of Phoenix. This capability opens doors for various attack vectors including session hijacking, data exfiltration, and potentially full application compromise if the WebSocket endpoints expose sensitive functionality. The vulnerability is particularly concerning because WebSocket connections often maintain persistent sessions and can provide attackers with extended access windows. According to ATT&CK framework, this issue maps to T1071.004 Application Layer Protocol: DNS and T1566.001 Phishing: Spearphishing Attachment, as attackers could leverage compromised WebSocket connections to maintain persistence and exfiltrate data. The impact is amplified when considering that many Phoenix applications use WebSocket connections for real-time features, making this vulnerability particularly dangerous in environments where real-time communication is critical.

While the vulnerability affects the core Phoenix framework, it's important to note that LiveView applications remain unaffected by default due to the presence of CSRF tokens that provide additional protection layers. This distinction highlights the importance of understanding the specific components of web frameworks that are vulnerable to particular attack vectors. Organizations using Phoenix versions prior to 1.6.14 should immediately implement mitigations including upgrading to the patched version, reviewing and tightening origin validation configurations, and monitoring for suspicious WebSocket connection patterns. The recommended remediation includes not only upgrading to Phoenix 1.6.14 or later but also implementing proper input validation for all origin headers and avoiding overly permissive wildcard patterns in production environments. Security teams should also consider implementing network-level controls to monitor and restrict WebSocket traffic patterns that might indicate exploitation attempts.

Reservation

10/17/2022

Disclosure

10/17/2022

Moderation

accepted

CPE

ready

EPSS

0.00520

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!