CVE-2024-38355
7.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| socketio | socket.io | < 2.5.1 | affected |
| socketio | socket.io | >= 3.0.0,< 4.6.2 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
- https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
- https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
- https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
- https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
- https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.