CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
15.5%
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
Version range | Needs minor update? |
---|---|
4.6.2...latest |
Nothing to do |
3.0.0...4.6.1 |
Please upgrade to [email protected] (at least) |
2.3.0...2.5.0 |
Please upgrade to [email protected] |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in [email protected]
(released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io
package, you can attach a listener for the “error” event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
github.com/advisories/GHSA-25hc-qcg6-38wj
github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
nvd.nist.gov/vuln/detail/CVE-2024-38355