CVE-2024-38355

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-38355
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38355.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-38355
Aliases
Related
Published
2024-06-19T20:15:11Z
Modified
2024-10-12T11:25:20.302036Z
Summary
[none]
Details

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

References

Affected packages

Git / github.com/socketio/socket.io

Affected ranges

Type
GIT
Repo
https://github.com/socketio/socket.io
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

0.*

0.7.0
0.7.1
0.7.10
0.7.11
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.9.0
0.9.1
0.9.1-1
0.9.10
0.9.11
0.9.12
0.9.2
0.9.3
0.9.4
0.9.5
0.9.7
0.9.8
0.9.9

1.*

1.0.0
1.0.0-pre
1.0.0-pre2
1.0.0-pre3
1.0.0-pre4
1.0.0-pre5
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0
1.5.1
1.6.0
1.7.0
1.7.1
1.7.2

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.2.0
2.3.0
2.4.0
2.4.1
2.5.0

3.*

3.0.0
3.0.0-rc1
3.0.0-rc2
3.0.0-rc3
3.0.0-rc4
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.1.0
3.1.1
3.1.2

4.*

4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.0-alpha1
4.6.1