CVE-2024-38355: socket.io has an unhandled 'error' event
(updated )
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
References
- github.com/advisories/GHSA-25hc-qcg6-38wj
- github.com/socketio/socket.io
- github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
- github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
- github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
- nvd.nist.gov/vuln/detail/CVE-2024-38355
Detect and mitigate CVE-2024-38355 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →