Socket.IO versions 0.4.0 and 0.3.8, both "Sockets for the rest of us," represent early iterations of this popular real-time communication library. While seemingly close in versioning, subtle differences existed that could impact developer choices. Both versions, authored by LearnBoost, share the same core description and Git repository. They also both have the (same) release date on npm registry, however this is likely a glitch.
A key distinction for developers lies in the licensing information. Version 0.3.8 explicitly includes a MIT license with a URL pointing to the README on GitHub, offering clear usage rights and permissions. Version 0.4.0 omits this explicit license declaration, which might raise questions about its legal usage terms for developers relying on explicit licensing.
Furthermore, the presence of a declared license makes version 0.3.8 more attractive to developers concerned with open-source compliance and redistribution rights. Developers choosing between the two versions should carefully examine the implications of the missing license in version 0.4.0, potentially needing to consult the project's broader documentation or repository to understand the intended licensing terms. Developers should inspect the later release 0.4.0, inspecting Github looking for the license, to be sure to comply with the correct license terms. The main way to install the library in both cases is using the tarball url, which is supplied as metadata on the dist key.
All the vulnerabilities related to the version 0.4.0 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.