CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22
which has been included in [email protected]
(released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10
. Users are advised to upgrade. Users unable to upgrade may attach a listener for the “error” event to catch these errors.
[
{
"cpes": [
"cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*"
],
"vendor": "socket",
"product": "socket.io",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "2.5.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.0.0",
"lessThan": "4.6.2",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial