GHSA-25hc-qcg6-38wj

Suggest an improvement
Source
https://github.com/advisories/GHSA-25hc-qcg6-38wj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-25hc-qcg6-38wj/GHSA-25hc-qcg6-38wj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-25hc-qcg6-38wj
Aliases
Published
2024-06-19T15:04:41Z
Modified
2024-11-18T16:26:46Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
socket.io has an unhandled 'error' event
Details

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

  • https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
  • https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
Database specific
{
    "nvd_published_at": "2024-06-19T20:15:11Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-754"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-19T15:04:41Z"
}
References

Affected packages

npm / socket.io

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.1

Database specific

{
    "last_known_affected_version_range": "< 2.5.0"
}

npm / socket.io

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
4.6.2