Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-25hc-qcg6-38wj

Опубликовано: 19 июн. 2024
Источник: github
Github: Прошло ревью
CVSS4: 6.9
CVSS3: 7.3

Описание

socket.io has an unhandled 'error' event

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502 throw err; // Unhandled 'error' event ^ Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined) at new NodeError (node:internal/errors:405:5) at Socket.emit (node:events:500:17) at /myapp/node_modules/socket.io/lib/socket.js:531:14 at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { code: 'ERR_UNHANDLED_ERROR', context: undefined }

Affected versions

Version rangeNeeds minor update?
4.6.2...latestNothing to do
3.0.0...4.6.1Please upgrade to socket.io@4.6.2 (at least)
2.3.0...2.5.0Please upgrade to socket.io@2.5.1

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => { socket.on("error", () => { // ... }); });

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

Ссылки

Пакеты

Наименование

socket.io

npm
Затронутые версииВерсия исправления

< 2.5.0

2.5.1

Наименование

socket.io

npm
Затронутые версииВерсия исправления

>= 3.0.0, < 4.6.2

4.6.2

EPSS

Процентиль: 28%
0.001
Низкий

6.9 Medium

CVSS4

7.3 High

CVSS3

CVE ID

CVE-2024-38355

Дефекты

CWE-20
CWE-754

Связанные уязвимости

redhat логотип

CVE-2024-38355

CVSS3: 7.3
redhat
около 1 года назад

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

nvd логотип

CVE-2024-38355

CVSS3: 7.3
nvd
около 1 года назад

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

suse-cvrf логотип

SUSE-SU-2024:3771-1

suse-cvrf
10 месяцев назад

Security update for pgadmin4

EPSS

Процентиль: 28%
0.001
Низкий

6.9 Medium

CVSS4

7.3 High

CVSS3

CVE ID

CVE-2024-38355

Дефекты

CWE-20
CWE-754