GHSA-25hc-qcg6-38wj: Input Validation
First published: Wed Jun 19 2024(Updated: )
### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` node:events:502 throw err; // Unhandled 'error' event ^ Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined) at new NodeError (node:internal/errors:405:5) at Socket.emit (node:events:500:17) at /myapp/node_modules/socket.io/lib/socket.js:531:14 at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { code: 'ERR_UNHANDLED_ERROR', context: undefined } ``` ### Affected versions | Version range | Needs minor update? | |------------------|------------------------------------------------| | `4.6.2...latest` | Nothing to do | | `3.0.0...4.6.1` | Please upgrade to `socket.io@4.6.2` (at least) | | `2.3.0...2.5.0` | Please upgrade to `socket.io@2.5.1` | ### Patches This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c ### Workarounds As a workaround for the affected versions of the `socket.io` package, you can attach a listener for the "error" event: ```js io.on("connection", (socket) => { socket.on("error", () => { // ... }); }); ``` ### For more information If you have any questions or comments about this advisory: - Open a discussion [here](https://github.com/socketio/socket.io/discussions) Thanks a lot to [Paul Taylor](https://github.com/Y0ursTruly) for the responsible disclosure. ### References - https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115 - https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/socket.io | >=3.0.0<4.6.2 | 4.6.2 |
| npm/socket.io | <2.5.0 | 2.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj
- https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
- https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
- https://nvd.nist.gov/vuln/detail/CVE-2024-38355
- https://github.com/advisories/GHSA-25hc-qcg6-38wj (Advisory)
Frequently Asked Questions
What is the severity of GHSA-25hc-qcg6-38wj?
The severity of GHSA-25hc-qcg6-38wj is considered critical since it can crash the Node.js process by triggering an uncaught exception.
How do I fix GHSA-25hc-qcg6-38wj?
To fix GHSA-25hc-qcg6-38wj, upgrade Socket.IO to version 4.6.2 or higher, or to version 2.5.1 if using the 2.x series.
Which versions of Socket.IO are affected by GHSA-25hc-qcg6-38wj?
GHSA-25hc-qcg6-38wj affects Socket.IO versions between 3.0.0 and 4.6.2, and versions up to 2.5.0.
What kind of attack can exploit GHSA-25hc-qcg6-38wj?
A specially crafted Socket.IO packet can exploit GHSA-25hc-qcg6-38wj leading to an unhandled error that crashes the server.
Is upgrading Socket.IO the only solution for GHSA-25hc-qcg6-38wj?
Yes, upgrading Socket.IO to the recommended versions is the primary and recommended solution to resolve GHSA-25hc-qcg6-38wj.
- agent/severity
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/weakness
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-25hc-qcg6-38wj
- alias/CVE-2024-38355
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- package-manager/npm