CVE-2024-38355 - OpenCVE

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
https://nvd.nist.gov/vuln/detail/CVE-2024-38355
https://www.cve.org/CVERecord?id=CVE-2024-38355
https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355

History

Tue, 03 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
References		https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-19T19:48:50.193Z

Updated: 2024-09-03T20:35:40.515Z

Reserved: 2024-06-14T14:16:16.464Z

Link: CVE-2024-38355

Vulnrichment

Updated: 2024-08-19T07:47:44.453Z

NVD

Status : Awaiting Analysis

Published: 2024-06-19T20:15:11.180

Modified: 2024-06-20T12:43:25.663

Link: CVE-2024-38355

Redhat

Severity : Important

Publid Date: 2024-06-20T00:00:00Z

Links: CVE-2024-38355 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38355", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-14T14:16:16.464Z", "datePublished": "2024-06-19T19:48:50.193Z", "dateUpdated": "2024-09-03T20:35:40.515Z"}, "containers": {"cna": {"title": "Unhandled 'error' event in socket.io", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}], "affected": [{"vendor": "socketio", "product": "socket.io", "versions": [{"version": "< 2.5.1", "status": "affected"}, {"version": ">= 3.0.0,< 4.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T19:48:50.193Z"}, "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}], "source": {"advisory": "GHSA-25hc-qcg6-38wj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:47:44.453Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}, {"name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}, {"url": "https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355"}]}, {"affected": [{"vendor": "socket", "product": "socket.io", "cpes": ["cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.5.1", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "4.6.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T15:54:14.198687Z", "id": "CVE-2024-38355", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T20:35:40.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:47:44.453Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-03T15:54:14.198687Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*"], "vendor": "socket", "product": "socket.io", "versions": [{"status": "affected", "version": "0", "lessThan": "2.5.1", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "4.6.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T20:35:24.356Z"}}], "cna": {"title": "Unhandled 'error' event in socket.io", "source": {"advisory": "GHSA-25hc-qcg6-38wj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "socketio", "product": "socket.io", "versions": [{"status": "affected", "version": "< 2.5.1"}, {"status": "affected", "version": ">= 3.0.0,< 4.6.2"}]}], "references": [{"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "name": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "name": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "name": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T19:48:50.193Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38355", "state": "PUBLISHED", "dateUpdated": "2024-09-03T20:35:40.515Z", "dateReserved": "2024-06-14T14:16:16.464Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-19T19:48:50.193Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}, {"lang": "es", "value": "Socket.IO es un framework de comunicaci\u00f3n de c\u00f3digo abierto, en tiempo real, bidireccional y basado en eventos. Un paquete Socket.IO especialmente manipulado puede desencadenar una excepci\u00f3n no detectada en el servidor Socket.IO, matando as\u00ed el proceso Node.js. Este problema se solucion\u00f3 mediante el commit `15af22fc22` que se incluy\u00f3 en `socket.io@4.6.2` (publicado en mayo de 2023). La soluci\u00f3n tambi\u00e9n se respald\u00f3 en la rama 2.x con el commit `d30630ba10`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden adjuntar un detector del evento \"error\" para detectar estos errores."}], "id": "CVE-2024-38355", "lastModified": "2024-06-20T12:43:25.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-19T20:15:11.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115"}, {"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c"}, {"source": "security-advisories@github.com", "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "socket.io: Unhandled 'error' event", "id": "2293192", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293192"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.", "A vulnerability was found in Socket.IO where a specially crafted packet can trigger an uncaught exception on the server, causing the Node.js process to crash. When the server receives this malformed packet, it results in an unhandled error event that stops the Socket.IO server from functioning correctly. This issue arises because the server fails to manage unexpected errors properly, leading to a disruption in service."], "mitigation": {"lang": "en:us", "value": "It is recommended to update to the latest version to address this vulnerability."}, "name": "CVE-2024-38355", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "socket.io", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "socket.io", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38355\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38355\nhttps://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj"], "statement": "This flaw occurs because the server fails to handle certain errors properly, leading to a complete server shutdown. Since the attack requires no special privileges or user interaction and can be done remotely, it poses a significant risk to server stability and availability. This vulnerability is rated as IMPORTANT due to its potential to disrupt service and impact server performance.", "threat_severity": "Important", "upstream_fix": "socket.io 2.5.1, socket.io 4.6.2"}