CVE-2024-38355
CVSS V2 None
CVSS V3 None
Description
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
Overview
- CVE ID
- CVE-2024-38355
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-06-19T19:48:50.193Z
- Last Modified Date
- 2024-06-19T19:48:50.193Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj | x_refsource_CONFIRM |
| https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115 | x_refsource_MISC |
| https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-38355 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38355 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 14:52:23 | Added to TrackCVE |