CVE-2024-38355

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-38355
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
Configurations

No configuration.

History

20 Jun 2024, 12:43

Type Values Removed Values Added
Summary
  • (es) Socket.IO es un framework de comunicación de código abierto, en tiempo real, bidireccional y basado en eventos. Un paquete Socket.IO especialmente manipulado puede desencadenar una excepción no detectada en el servidor Socket.IO, matando así el proceso Node.js. Este problema se solucionó mediante el commit `15af22fc22` que se incluyó en `socket.io@4.6.2` (publicado en mayo de 2023). La solución también se respaldó en la rama 2.x con el commit `d30630ba10`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden adjuntar un detector del evento "error" para detectar estos errores.

19 Jun 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-19 20:15

Updated : 2024-06-20 12:43

NVD link : CVE-2024-38355

Mitre link : CVE-2024-38355

CVE.ORG link : CVE-2024-38355

JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation

CWE-754

Improper Check for Unusual or Exceptional Conditions