CVE-2024-38355 Information

Description

Socket.IO is an open source real-time bidirectional event-based communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the rror\ event to catch these errors.

Reference

https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115 https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c