Socket.IO Vulnerability Fix: Uncaught Exceptions Can Trigger Node.js Process Killing
CVE-2024-38355
7.3HIGH
What is CVE-2024-38355?
The vulnerability enables an attacker to send specially crafted Socket.IO packets to the server, resulting in an unhandled exception that crashes the Node.js process. This situation can lead to service interruptions and potential exploitation by malicious actors. It is important for users to upgrade to socket.io@4.6.2 or backported versions to mitigate risks. For those unable to perform immediate upgrades, implementing an 'error' event listener will help manage these exceptions and improve server stability.
Affected Version(s)
socket.io < 2.5.1 < 2.5.1
socket.io >= 3.0.0,< 4.6.2 < 3.0.0, 4.6.2
