{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38355", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-14T14:16:16.464Z", "datePublished": "2024-06-19T19:48:50.193Z", "dateUpdated": "2024-09-03T20:35:40.515Z"}, "containers": {"cna": {"title": "Unhandled 'error' event in socket.io", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}], "affected": [{"vendor": "socketio", "product": "socket.io", "versions": [{"version": "< 2.5.1", "status": "affected"}, {"version": ">= 3.0.0,< 4.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T19:48:50.193Z"}, "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}], "source": {"advisory": "GHSA-25hc-qcg6-38wj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:47:44.453Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}, {"url": "https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355"}]}, {"affected": [{"vendor": "socket", "product": "socket.io", "cpes": ["cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.5.1", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "4.6.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T15:54:14.198687Z", "id": "CVE-2024-38355", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T20:35:40.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:47:44.453Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-03T15:54:14.198687Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*"], "vendor": "socket", "product": "socket.io", "versions": [{"status": "affected", "version": "0", "lessThan": "2.5.1", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "4.6.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T20:35:24.356Z"}}], "cna": {"title": "Unhandled 'error' event in socket.io", "source": {"advisory": "GHSA-25hc-qcg6-38wj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "socketio", "product": "socket.io", "versions": [{"status": "affected", "version": "< 2.5.1"}, {"status": "affected", "version": ">= 3.0.0,< 4.6.2"}]}], "references": [{"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T19:48:50.193Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38355", "state": "PUBLISHED", "dateUpdated": "2024-09-03T20:35:40.515Z", "dateReserved": "2024-06-14T14:16:16.464Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-19T19:48:50.193Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}, {"lang": "es", "value": "Socket.IO es un framework de comunicaci\u00f3n de c\u00f3digo abierto, en tiempo real, bidireccional y basado en eventos. Un paquete Socket.IO especialmente manipulado puede desencadenar una excepci\u00f3n no detectada en el servidor Socket.IO, matando as\u00ed el proceso Node.js. Este problema se solucion\u00f3 mediante el commit `15af22fc22` que se incluy\u00f3 en `socket.io@4.6.2` (publicado en mayo de 2023). La soluci\u00f3n tambi\u00e9n se respald\u00f3 en la rama 2.x con el commit `d30630ba10`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden adjuntar un detector del evento \"error\" para detectar estos errores."}], "id": "CVE-2024-38355", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-19T20:15:11.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}, {"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "socket.io: Unhandled 'error' event", "id": "2293192", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293192"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.", "A vulnerability was found in Socket.IO where a specially crafted packet can trigger an uncaught exception on the server, causing the Node.js process to crash. When the server receives this malformed packet, it results in an unhandled error event that stops the Socket.IO server from functioning correctly. This issue arises because the server fails to manage unexpected errors properly, leading to a disruption in service."], "mitigation": {"lang": "en:us", "value": "It is recommended to update to the latest version to address this vulnerability."}, "name": "CVE-2024-38355", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "socket.io", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "socket.io", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38355\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38355\nhttps://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"], "statement": "This flaw occurs because the server fails to handle certain errors properly, leading to a complete server shutdown. Since the attack requires no special privileges or user interaction and can be done remotely, it poses a significant risk to server stability and availability. This vulnerability is rated as IMPORTANT due to its potential to disrupt service and impact server performance.", "threat_severity": "Important"}

{}