Socket.IO is a popular library enabling real-time, bidirectional communication between web clients and servers. Versions 0.5.1 and 0.5.3, both released around December 2010, represent early iterations of this powerful tool, foundational for developers seeking to build interactive web applications. While the core functionality remains consistent between the two releases, developers will be interested in understanding the subtle changes that may have been introduced.
Given identical release dates, 0.5.3 likely addresses minor bug fixes or incremental improvements built upon the 0.5.1 foundation. Developers contemplating which version to use, perhaps in a legacy project, should investigate changelogs or diffs between these versions if available. Minor version bumps often contain crucial stability enhancements or security patches, making the newer version preferable, assuming no compatibility issues arise.
The library, attributed to LearnBoost, facilitates the creation of features like live chat, collaborative editing, and real-time data visualization. Knowing that these versions depend on a Git repository hosted at http://github.com/LearnBoost/Socket.IO-node.git is useful for those needing deep dives into the codebase or contributing. The tarball URLs enable direct downloads for manual installation or archival purposes, although using a package manager like npm is generally recommended for dependency management and simplified updates.
All the vulnerabilities related to the version 0.5.3 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.