CVE-2024-38355
Description
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
socket.ionpm | < 2.5.1 | 2.5.1 |
socket.ionpm | >= 3.0.0, < 4.6.2 | 4.6.2 |
Patches
2d30630ba1056fix: add a noop handler for the error event
1 file changed · +6 −6
lib/socket.js+6 −6 modified@@ -49,6 +49,8 @@ var flags = [ var emit = Emitter.prototype.emit; +function noop() {} + /** * Interface to a `Client` for a given `Namespace`. * @@ -72,6 +74,9 @@ function Socket(nsp, client, query){ this.fns = []; this.flags = {}; this._rooms = []; + + // prevents crash when the socket receives an "error" event without listener + this.on('error', noop); } /** @@ -427,12 +432,7 @@ Socket.prototype.ondisconnect = function(){ */ Socket.prototype.onerror = function(err){ - if (this.listeners('error').length) { - this.emit('error', err); - } else { - console.error('Missing error handler on `socket`.'); - console.error(err.stack); - } + this.emit('error', err); }; /**
15af22fc22bcrefactor: add a noop handler for the error event
1 file changed · +8 −6
lib/socket.ts+8 −6 modified@@ -280,6 +280,9 @@ export class Socket< } } this.handshake = this.buildHandshake(auth); + + // prevents crash when the socket receives an "error" event without listener + this.on("error", noop); } /** @@ -720,12 +723,11 @@ export class Socket< * @private */ _onerror(err: Error): void { - if (this.listeners("error").length) { - this.emitReserved("error", err); - } else { - console.error("Missing error handler on `socket`."); - console.error(err.stack); - } + // FIXME the meaning of the "error" event is overloaded: + // - it can be sent by the client (`socket.emit("error")`) + // - it can be emitted when the connection encounters an error (an invalid packet for example) + // - it can be emitted when a packet is rejected in a middleware (`socket.use()`) + this.emitReserved("error", err); } /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-25hc-qcg6-38wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38355ghsaADVISORY
- github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115nvdWEB
- github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119cnvdWEB
- github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wjnvdWEB
- www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355nvd
News mentions
0No linked articles in our index yet.