Denial Of Service (DoS)

socket.io is vulnerable to Denial Of Service DoS. The vulnerability is due to a specially crafted Socket.IO packet triggering an uncaught exception, which kills the Node.js process, allowing an attacker to crash the server by sending a malicious packet...

CVE-2024-38355

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in...

CVE-2024-38355 Unhandled 'error' event in socket.io

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in...

CVE-2024-38355 Unhandled 'error' event in socket.io

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in...

CVE-2024-38355 Unhandled 'error' event in socket.io

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in...

CVE-2024-38355

Socket.IO vulnerability CVE-2024-38355 involves an unhandled 'error' event that can trigger an uncaught exception on the Socket.IO server, potentially killing a Node.js process and enabling a denial-of-service condition. Official details state a fix is included in [email protected] (May 2023) and b...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1787 more potentially affected by CVE-2024-38355 via socket.io (>=3.0.0 <=4.6.1)

socket.io NPM version =3.0.0, =1.0.49, =1.0.0, =0.0.28, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =1.2.1, =15.0.0, =1.0.1, =1.0.2 - @aaronconway7/create-gatsby-app =1.0.0 - @accio-cms/gatsby-starter-accio =0.0.1 and more Source cves: CVE-2024-38355 Source advisory: OSV:GHSA-25HC-QCG6-38WJ...

Socket.IO Security Vulnerability

Socket.IO is a JavaScript library for real-time web applications from Socket.IO. A security vulnerability exists in Socket.IO that stems from a specially crafted Socket.IO packet that could trigger an uncaught exception on the server, terminating the Node.js process...

Missing Origin Validation

uptime-kuma is vulnerable to Missing Origin Validation. The server doesn't validate the Origin header when a user connects to the server using Socket.IO. An attacker can access protected endpoints and sensitive data by exploiting this vulnerability...

CVE-2023-49805 Uptime Kuma Missing Origin Validation in WebSockets

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket with Socket.io, but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting...

Fedora 39 : magicmirror (2023-3a06c965b4)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-3a06c965b4 advisory. Automatic update for magicmirror-2.24.0-1.fc39. Changelog Sun Jul 9 2023 Davide Cavalca - 2.24.0-1 - Update to 2.24.0; Fixes: RHBZ2184597,...

Design/Logic Flaw

Denial-of-service in NodeBB = v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking eventName.startsWith or eventName.toString, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively...

CVE-2023-30591 NodeBB Pre-Authentication Denial-of-Service

Denial-of-service in NodeBB = v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking eventName.startsWith or eventName.toString, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively...

NodeBB < 2.6.1 Account Takeover Vulnerability

NodeBB is prone to an account takeover vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodebb:nodebb"; ifdescripti...

CVE-2023-37899

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = $ toString: '' which would cause the NodeJS process to crash when sending an unexpected Socket.io...

Design/Logic Flaw

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = $ toString: '' which would cause the NodeJS process to crash when sending an unexpected Socket.io...

CVE-2023-37899 feathersjs socket handler allows abusing implicit toString

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = $ toString: '' which would cause the NodeJS process to crash when sending an unexpected Socket.io...

CVE-2023-37899 feathersjs socket handler allows abusing implicit toString

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = $ toString: '' which would cause the NodeJS process to crash when sending an unexpected Socket.io...

CVE-2023-37899

CVE-2023-37899 concerns Feathersjs: the socket handler fails to catch invalid string conversion errors (e.g., a crafted toString object), causing Node.js to crash on unexpected Socket.io messages. A fix is available in Feathers versions 5.0.8 and 4.5.18; users should upgrade. There is no known wo...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-32695]

Summary Node.js module Socket.IO is used by IBM App Connect Enterprise Certified Container for updating a DesignerAuthoring webconsole. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service. This bulletin provides patch information to addres...