Closed clempat closed 1 week ago
Security alert triggered on our project highlighted the following issue. The latest possible version of socket.io that can be installed is 4.4.1. The earliest fixed version is 4.6.2.
Security alert triggered on our project highlighted the following issue.
The latest possible version of socket.io that can be installed is 4.4.1. The earliest fixed version is 4.6.2.
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502 throw err; // Unhandled 'error' event ^ Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined) at new NodeError (node:internal/errors:405:5) at Socket.emit (node:events:500:17) at /myapp/node_modules/socket.io/lib/socket.js:531:14 at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { code: 'ERR_UNHANDLED_ERROR', context: undefined }
Impact
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
References