Socket.IO version 0.6.0 arrives as a notable iteration following the 0.5.3 release, both iterations of this popular library are designed for facilitating real-time, bidirectional communication between web clients and servers. Primarily targeting developers seeking to implement interactive features such as chat applications, live updates, and collaborative tools, Socket.IO simplifies the complexities of WebSocket technology, providing a more accessible and robust solution for handling persistent connections.
While both versions share the same core functionality of providing a cross-browser WebSocket abstraction and are authored by LearnBoost, the update from 0.5.3 to 0.6.0 likely encompasses a series of refinements, bug fixes, and potential performance enhancements. Although detailed changelogs require further research, developers considering an upgrade from 0.5.3 should anticipate improvements in connection stability, reduced latency, and possibly enhanced support for newer browser versions or WebSocket protocol implementations. The newer version may also introduce subtle API tweaks or new configuration options designed to provide greater flexibility in managing socket connections. Examining the specific commit history and associated documentation for the 0.6.0 release will reveal the precise nature and scope of these changes, allowing developers to make informed decisions concerning migration paths and benefit from the ongoing evolution of the Socket.IO library. Both versions are available through the npm registry, but it's heavily suggested to use newer version since they incorporate security fixes.
All the vulnerabilities related to the version 0.6.0 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.