{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38355", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-14T14:16:16.464Z", "datePublished": "2024-06-19T19:48:50.193Z", "dateUpdated": "2024-06-19T19:48:50.193Z"}, "containers": {"cna": {"title": "Unhandled 'error' event in socket.io", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}], "affected": [{"vendor": "socketio", "product": "socket.io", "versions": [{"version": "< 2.5.1", "status": "affected"}, {"version": ">= 3.0.0,< 4.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T19:48:50.193Z"}, "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}], "source": {"advisory": "GHSA-25hc-qcg6-38wj", "discovery": "UNKNOWN"}}}}

{"descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}, {"lang": "es", "value": "Socket.IO es un framework de comunicaci\u00f3n de c\u00f3digo abierto, en tiempo real, bidireccional y basado en eventos. Un paquete Socket.IO especialmente manipulado puede desencadenar una excepci\u00f3n no detectada en el servidor Socket.IO, matando as\u00ed el proceso Node.js. Este problema se solucion\u00f3 mediante el commit `15af22fc22` que se incluy\u00f3 en `socket.io@4.6.2` (publicado en mayo de 2023). La soluci\u00f3n tambi\u00e9n se respald\u00f3 en la rama 2.x con el commit `d30630ba10`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden adjuntar un detector del evento \"error\" para detectar estos errores."}], "id": "CVE-2024-38355", "lastModified": "2024-06-20T12:43:25.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-19T20:15:11.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}, {"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}