High severity7.3OSV Advisory· Published Jun 19, 2024· Updated Apr 15, 2026
CVE-2024-38355
CVE-2024-38355
Description
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
socket.ionpm | < 2.5.1 | 2.5.1 |
socket.ionpm | >= 3.0.0, < 4.6.2 | 4.6.2 |
Affected products
4- ghsa-coords3 versionspkg:npm/socket.iopkg:rpm/opensuse/pgadmin4&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
< 2.5.1+ 2 more
- (no CPE)range: < 2.5.1
- (no CPE)range: < 8.5-150600.3.6.1
- (no CPE)range: < 8.5-150600.3.6.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-25hc-qcg6-38wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38355ghsaADVISORY
- github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115nvdWEB
- github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119cnvdWEB
- github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wjnvdWEB
- www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355nvd
News mentions
0No linked articles in our index yet.