High severity - Uncaught Exception vulnerability in socket.io (package.json)

[github-actions[bot]]

• Package Manager: npm
• Vulnerable module: socket.io
• Introduced through: juice-shop@12.3.0 and socket.io@3.1.2

  Detailed paths

• Introduced through: juice-shop@12.3.0 › socket.io@3.1.2

  Overview

  socket.io is a node.js realtime framework server.

Affected versions of this package are vulnerable to Uncaught Exception in handling error events. If there is no listener set up for such events, an attacker can send packets containing them to crash the Node process.

Workaround

This vulnerability can be avoided by attaching a listener for error events, such as

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

Remediation

Upgrade socket.io to version 2.5.1, 4.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
  SNYK-JS-SOCKETIO-7278048
  (CVE-2024-38355) socket.io@3.1.2