CVE-2024-38355

19.06.2024, 20:15

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
GitHub_M	CNA	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115

https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115

https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj

https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355