Version Details and Security Vulnerabilities

📦

observable

0.1.1

Comparision Betweeen 0.1.1 and 0.0.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

observable

0.1.1

Comparision Betweeen 0.1.1 and 0.0.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package observable.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.8.6

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.8.6

Summary:

Insecure randomness in socket.io

Details:

Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.

Recommendation

Update to v0.9.7 or later.

Details about socket.io@0.8.6

Summary:

Insecure Entropy Source - Math.random() in node-uuid

Details:

Affected versions of node-uuid consistently fall back to using Math.random as an entropy source instead of crypto, which may result in guessable UUID's.

Recommendation

Update to version 1.4.4 or later.

Details about node-uuid@1.3.3

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package observable.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.8.6

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.8.6

Summary:

Insecure randomness in socket.io

Details:

Recommendation

Update to v0.9.7 or later.

Details about socket.io@0.8.6

Summary:

Insecure Entropy Source - Math.random() in node-uuid

Details:

Affected versions of node-uuid consistently fall back to using Math.random as an entropy source instead of crypto, which may result in guessable UUID's.

Recommendation

Update to version 1.4.4 or later.

Details about node-uuid@1.3.3

Version Details and Security Vulnerabilities

observable

Comparision Betweeen 0.1.1 and 0.0.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

observable

Comparision Betweeen 0.1.1 and 0.0.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Affected versions

Patches

Workarounds

For more information

References

Recommendation

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Affected versions

Patches

Workarounds

For more information

References

Recommendation

Recommendation

Version Details and Security Vulnerabilities

observable

Comparision Betweeen 0.1.1 and 0.0.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

observable

Comparision Betweeen 0.1.1 and 0.0.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@0.8.6 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

socket.io@0.8.6 GHSA-fxwf-4rqh-v8g3 4.3

socket.io@0.8.6 GHSA-qv2v-m59f-v5fw 7.5

Recommendation

node-uuid@1.3.3 GHSA-265q-28rp-chq5 7.5

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@0.8.6 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

socket.io@0.8.6 GHSA-fxwf-4rqh-v8g3 4.3

socket.io@0.8.6 GHSA-qv2v-m59f-v5fw 7.5

Recommendation

node-uuid@1.3.3 GHSA-265q-28rp-chq5 7.5

Recommendation