GitHub_MVULNRICHMENT:CVE-2024-38355CVE-2024-38355 Unhandled 'error' event in socket.io
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in [email protected] (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the “error” event to catch these errors.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*"
],
"vendor": "socket",
"product": "socket.io",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "2.5.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.0.0",
"lessThan": "4.6.2",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial