CVE-2024-38355
socket.io has an unhandled 'error' event
Description
### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` node:events:502 throw err; // Unhandled 'error' event ^ Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined) at new NodeError (node:internal/errors:405:5) at Socket.emit (node:events:500:17) at /myapp/node_modules/socket.io/lib/socket.js:531:14 at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { code: 'ERR_UNHANDLED_ERROR', context: undefined } ``` ### Affected versions | Version range | Needs minor update? | |------------------|------------------------------------------------| | `4.6.2...latest` | Nothing to do | | `3.0.0...4.6.1` | Please upgrade to `socket.io@4.6.2` (at least) | | `2.3.0...2.5.0` | Please upgrade to `socket.io@2.5.1` | ### Patches This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c ### Workarounds As a workaround for the affected versions of the `socket.io` package, you can attach a listener for the "error" event: ```js io.on("connection", (socket) => { socket.on("error", () => { // ... }); }); ``` ### For more information If you have any questions or comments about this advisory: - Open a discussion [here](https://github.com/socketio/socket.io/discussions) Thanks a lot to [Paul Taylor](https://github.com/Y0ursTruly) for the responsible disclosure. ### References - https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115 - https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
How to fix CVE-2024-38355
To remediate CVE-2024-38355, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.1 or later
Is CVE-2024-38355 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.