7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38355

GHSA ID

GHSA-25hc-qcg6-38wj

EPSS Score

0.28386%

CWE

CWE-20

Published

6/19/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-38355

CVE-2024-38355: socket.io has an unhandled 'error' event

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38355

GHSA ID

GHSA-25hc-qcg6-38wj

EPSS Score

0.28386%

CWE

CWE-20

Published

6/19/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
socket.io	npm	< 2.5.0	2.5.1
socket.io	npm	>= 3.0.0, < 4.6.2	4.6.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from error event handling in Socket.IO's Socket class. Both versions (2.x and 4.x) had similar patterns where:

The error emission logic in onerror/_onerror methods didn't guarantee a listener exists
Node.js would throw unhandled exceptions when emitting error events without listeners
The patches added default noop handlers in constructors (socket.ts:280, socket.js:74) and simplified error emission
Pre-patch versions contained conditional logic that failed to prevent unhandled errors when no user-defined listeners were present
The stack trace in the advisory points to socket.js:531 (v4.x equivalent to socket.ts error handling)

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * sp**i*lly *r**t** So*k*t.IO p**k*t **n tri***r *n un**u**t *x**ption on t** So*k*t.IO s*rv*r, t*us killin* t** No**.js pro**ss. ``` no**:*v*nts:*** t*row *rr; // Un**n*l** '*rror' *v*nt ^ *rror [*RR_UN**N*L**_*RROR]: Un**n*l**

Reasoning

T** vuln*r**ility st*ms *rom *rror *v*nt **n*lin* in So*k*t.IO's So*k*t *l*ss. *ot* v*rsions (*.x *n* *.x) *** simil*r p*tt*rns w**r*: *. T** *rror *mission lo*i* in on*rror/_on*rror m*t*o*s *i*n't *u*r*nt** * list*n*r *xists *. No**.js woul* t*row u

7.3

Basic Information

Concerned about an active attack path?

CVE-2024-38355: socket.io has an unhandled 'error' event

Impact

Affected versions

Patches

Workarounds

For more information

References

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI