Описание
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
A vulnerability was found in Socket.IO where a specially crafted packet can trigger an uncaught exception on the server, causing the Node.js process to crash. When the server receives this malformed packet, it results in an unhandled error event that stops the Socket.IO server from functioning correctly. This issue arises because the server fails to manage unexpected errors properly, leading to a disruption in service.
Отчет
This flaw occurs because the server fails to handle certain errors properly, leading to a complete server shutdown. Since the attack requires no special privileges or user interaction and can be done remotely, it poses a significant risk to server stability and availability. This vulnerability is rated as IMPORTANT due to its potential to disrupt service and impact server performance.
Меры по смягчению последствий
It is recommended to update to the latest version to address this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat Fuse 7 | socket.io | Will not fix | ||
| Red Hat JBoss Data Grid 7 | socket.io | Will not fix | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
EPSS
7.3 High
CVSS3