Socket.IO version 0.6.1 arrives as a minor iteration over its predecessor, version 0.6.0, both crafted by LearnBoost to deliver a robust cross-browser WebSocket solution. While seemingly similar at first glance, discerning developers understand that even small version bumps can contain crucial fixes and improvements. The core functionality, centered around enabling real-time, bidirectional communication between web clients and servers, remains consistent. Both versions proudly offer that sought-after WebSocket experience across diverse browsers, easing the burden of managing differing browser capabilities.
A detailed changelog would be needed to pinpoint the exact differences between 0.6.0 and 0.6.1, developers might anticipate subtle bug fixes, performance enhancements, or perhaps adjustments to improve stability. For those embarking on a fresh Socket.IO implementation, opting for the newer 0.6.1 is generally advisable, adhering to the principle of utilizing the latest stable release.
However, projects already running smoothly on 0.6.0 might not necessitate an immediate upgrade unless specific issues addressed in 0.6.1 are impacting their application. Evaluating the risk/reward proposition of upgrading any dependency is a standard practice, especially in established projects. Always review release notes and community discussions before updating. Both versions, with their shared foundation, empower developers to construct interactive and dynamic web applications by leveraging the power of real-time communication.
All the vulnerabilities related to the version 0.6.1 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.