VYPR
High severity7.3OSV Advisory· Published Jun 19, 2024· Updated Apr 15, 2026

CVE-2024-38355

CVE-2024-38355

Description

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
socket.ionpm
< 2.5.12.5.1
socket.ionpm
>= 3.0.0, < 4.6.24.6.2

Affected products

4

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.