CVE-2024-38355

HIGH7.3EPSS 0.14%

socket.io has an unhandled 'error' event

發布日:2024/6/19修改日:2024/11/18

描述

### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` node:events:502 throw err; // Unhandled 'error' event ^ Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined) at new NodeError (node:internal/errors:405:5) at Socket.emit (node:events:500:17) at /myapp/node_modules/socket.io/lib/socket.js:531:14 at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { code: 'ERR_UNHANDLED_ERROR', context: undefined } ``` ### Affected versions | Version range | Needs minor update? | |------------------|------------------------------------------------| | `4.6.2...latest` | Nothing to do | | `3.0.0...4.6.1` | Please upgrade to `[email protected]` (at least) | | `2.3.0...2.5.0` | Please upgrade to `[email protected]` | ### Patches This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in `[email protected]` (released in May 2023). The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c ### Workarounds As a workaround for the affected versions of the `socket.io` package, you can attach a listener for the "error" event: ```js io.on("connection", (socket) => { socket.on("error", () => { // ... }); }); ``` ### For more information If you have any questions or comments about this advisory: - Open a discussion [here](https://github.com/socketio/socket.io/discussions) Thanks a lot to [Paul Taylor](https://github.com/Y0ursTruly) for the responsible disclosure. ### References - https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115 - https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

參考連結(5)