Socket.IO versions 0.4.0 and 0.4.1 represent incremental improvements in this popular library, designed for real-time, bidirectional communication between web clients and servers. Both versions, authored by LearnBoost, share the same core description: “Sockets for the rest of us,” reflecting the library's aim to simplify websocket usage. They also utilize the same repository on GitHub.
Examining the metadata, the major difference between the two versions lies in their version number. Socket.IO 0.4.1 is a patch release following 0.4.0. Generally, patch releases (the last number in semantic versioning) include bug fixes, minor tweaks, and performance improvements. It is very strange that both were released at exactly the same time.
For developers, this means that upgrading from 0.4.0 to 0.4.1 should be a low-risk process, as it likely addresses issues discovered in the initial 0.4.0 release without introducing breaking changes. Developers should expect increased stability, slightly better performance, and resolutions for any reported bugs from the previous iteration. It is important to consult the change logs associated with each version in the github repository to discover the potential fixes done, as there are no clues from the provided data.
All the vulnerabilities related to the version 0.4.1 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.