Home > Vulnerability Database > CVE-2024-38355

Mend.io Vulnerability Database

CVE-2024-38355

Good to know:

Date: June 19, 2024

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit "15af22fc22" which has been included in "socket.io@4.6.2" (released in May 2023). The fix was backported in the 2.x branch as well with commit "d30630ba10". Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

Language: TYPE_SCRIPT

Severity Score

7.3

Related Resources (7)

Url: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38355

Url: https://github.com/socketio/socket.io

Url: https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355

Url: https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115

Url: https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj

Url: https://www.mend.io/vulnerability-database/CVE-2024-38355

Severity Score

7.3

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version socket.io - 4.6.2;socket.io - 2.5.1;socket.io - 4.6.2

Learn More

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38355

Good to know:

Date: June 19, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?